cPanel TSR-2015-0003 Full Disclosure
Access restrictions on mail routing information not properly enforced.
cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
The WHM, cPanel and Webmail interfaces each provide the ability to trace the route that email delivery takes. This routing information includes details about how email is routed internally on the server for local delivery destinations. Access restrictions were not correctly enforced in these interfaces, allowing users with limited privileges to view the private email routing details of other accounts.
The "email" parameter in mail routing information was not properly validating the authorization which allow any low privilege user to access other user mail routing information just by changing the "email" parameter value to victim user email.