cPanel prior to 70.0.23 allows an open redirect via the /unprotected/redirect.html endpoint (SEC-392).
cpanel cpanel