cPanel prior to 60.0.25 allows self XSS in WHM Tweak Settings for autodiscover_host (SEC-177).
cpanel cpanel