cPanel before 82.0.18 allows authentication bypass because webmail usernames are processed inconsistently (SEC-499).Referenceshttps://documentation.cpanel.net/display/CL/82+Change+Log
