cPanel before 82.0.15 Insufficient Session Expiration Vulnerability
When a cPanel user’s account was renamed or terminated, the API tokens belonging to the account were left installed on the system under the old name. Any new accounts created with the same name would allow access to the previous account’s API tokens.
The information has been provided by Vendor
The original article can be found at:https://news.cpanel.com/cpanel-tsr-2019-0005-full-disclosure/
cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).
cPanel before 82.0.15