CVE-2018-20895

In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs are removed from the corresponding accounts (SEC-393).
Source: NIST
CVE-2018-20895