cPanel prior to 90.0.10 allows self XSS via WHM Manage API Tokens interfaces (SEC-569).
cpanel cpanel