cPanel prior to 57.9999.54 allows self XSS during ftp account creation under addon domains (SEC-118).
cpanel cpanel