In cPanel prior to 70.0.23, OpenID providers can inject arbitrary data into cPanel session files (SEC-368).
cpanel cpanel