Cpanel (www.cpanel.net) has two file manager application, standard and legacy one to manage files. Both of them are vulnerable to XSS attack. File name is presented unescaped so that an attacker can craft malicious file name to execute script on behalf of victims.
this vulnerability was found on cpanel version 11.24.4-CURRENT
exploit here is already tested on: Firefox 3.0.7 and IE 8.0