cPanel prior to 11.54.0.0 allows unauthorized password changes via Webmail API commands (SEC-65).
cpanel cpanel