Vulnerabilites related to phplist - phplist
CVE-2020-35708 (GCVE-0-2020-35708)
Vulnerability from cvelistv5
Published
2020-12-25 05:24
Modified
2024-08-04 17:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:15.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tufangungor.github.io/exploit/2020/12/15/phplist-3.5.9-sql-injection.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/phplist/files/phplist/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the \"Config - Import Administrators\" page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-25T05:24:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tufangungor.github.io/exploit/2020/12/15/phplist-3.5.9-sql-injection.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/phplist/files/phplist/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-35708",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the \"Config - Import Administrators\" page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tufangungor.github.io/exploit/2020/12/15/phplist-3.5.9-sql-injection.html",
"refsource": "MISC",
"url": "https://tufangungor.github.io/exploit/2020/12/15/phplist-3.5.9-sql-injection.html"
},
{
"name": "https://sourceforge.net/projects/phplist/files/phplist/",
"refsource": "MISC",
"url": "https://sourceforge.net/projects/phplist/files/phplist/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-35708",
"datePublished": "2020-12-25T05:24:04",
"dateReserved": "2020-12-25T00:00:00",
"dateUpdated": "2024-08-04T17:09:15.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-20036 (GCVE-0-2017-20036)
Vulnerability from cvelistv5
Published
2022-06-10 09:30
Modified
2025-04-15 14:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-80 - Basic Cross Site Scripting
Summary
A vulnerability, which was classified as problematic, was found in PHPList 3.2.6. Affected is an unknown function of the file /lists/admin/ of the component Bounce Rule. The manipulation leads to cross site scripting (Persistent). It is possible to launch the attack remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| unspecified | PHPList |
Version: 3.2.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:25.003Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuldb.com/?id.98922"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2017-20036",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:11:59.209849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T14:27:25.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PHPList",
"vendor": "unspecified",
"versions": [
{
"status": "affected",
"version": "3.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, was found in PHPList 3.2.6. Affected is an unknown function of the file /lists/admin/ of the component Bounce Rule. The manipulation leads to cross site scripting (Persistent). It is possible to launch the attack remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Basic Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-10T09:30:39.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuldb.com/?id.98922"
}
],
"title": "PHPList Bounce Rule Persistent cross site scriting",
"x_generator": "vuldb.com",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@vuldb.com",
"ID": "CVE-2017-20036",
"REQUESTER": "cna@vuldb.com",
"STATE": "PUBLIC",
"TITLE": "PHPList Bounce Rule Persistent cross site scriting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PHPList",
"version": {
"version_data": [
{
"version_value": "3.2.6"
}
]
}
}
]
},
"vendor_name": ""
}
]
}
},
"credit": "Tim Coen",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability, which was classified as problematic, was found in PHPList 3.2.6. Affected is an unknown function of the file /lists/admin/ of the component Bounce Rule. The manipulation leads to cross site scripting (Persistent). It is possible to launch the attack remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
]
},
"generator": "vuldb.com",
"impact": {
"cvss": {
"baseScore": "3.5",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80 Basic Cross Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://seclists.org/fulldisclosure/2017/Mar/46",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"name": "https://vuldb.com/?id.98922",
"refsource": "MISC",
"url": "https://vuldb.com/?id.98922"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2017-20036",
"datePublished": "2022-06-10T09:30:39.000Z",
"dateReserved": "2022-06-05T00:00:00.000Z",
"dateUpdated": "2025-04-15T14:27:25.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27576 (GCVE-0-2023-27576)
Vulnerability from cvelistv5
Published
2023-08-18 00:00
Modified
2024-10-07 19:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in phpList before 3.6.14. Due to an access error, it was possible to manipulate and edit data of the system's super admin, allowing one to perform an account takeover of the user with super-admin permission. Specifically, for a request with updatepassword=1, a modified request (manipulating both the ID parameter and the associated username) can bypass the intended email confirmation requirement. For example, the attacker can start from an updatepassword=1 request with their own ID number, and change the ID number to 1 (representing the super admin account) and change the username to admin2. In the first step, the attacker changes the super admin's email address to one under the attacker's control. In the second step, the attacker performs a password reset for the super admin account. The new password allows login as the super admin, i.e., a successful account takeover.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:16:35.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cupc4k3.lol/cve-2023-27576-hacking-phplist-how-i-gained-super-admin-access-44c7c90d82da"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpList/phplist3/pull/986"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.phplist.org/newslist/phplist-3-6-14-release-notes/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27576",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T19:43:55.423890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T19:44:44.826Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in phpList before 3.6.14. Due to an access error, it was possible to manipulate and edit data of the system\u0027s super admin, allowing one to perform an account takeover of the user with super-admin permission. Specifically, for a request with updatepassword=1, a modified request (manipulating both the ID parameter and the associated username) can bypass the intended email confirmation requirement. For example, the attacker can start from an updatepassword=1 request with their own ID number, and change the ID number to 1 (representing the super admin account) and change the username to admin2. In the first step, the attacker changes the super admin\u0027s email address to one under the attacker\u0027s control. In the second step, the attacker performs a password reset for the super admin account. The new password allows login as the super admin, i.e., a successful account takeover."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-06T05:10:31.735477",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://cupc4k3.lol/cve-2023-27576-hacking-phplist-how-i-gained-super-admin-access-44c7c90d82da"
},
{
"url": "https://github.com/phpList/phplist3/pull/986"
},
{
"url": "https://www.phplist.org/newslist/phplist-3-6-14-release-notes/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-27576",
"datePublished": "2023-08-18T00:00:00",
"dateReserved": "2023-03-03T00:00:00",
"dateUpdated": "2024-10-07T19:44:44.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15073 (GCVE-0-2020-15073)
Vulnerability from cvelistv5
Published
2020-07-08 19:22
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.906Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-5-release-notes/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-07-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-09T15:49:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-5-release-notes/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15073",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.phplist.org/newslist/phplist-3-5-5-release-notes/",
"refsource": "CONFIRM",
"url": "https://www.phplist.org/newslist/phplist-3-5-5-release-notes/"
},
{
"name": "https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377",
"refsource": "CONFIRM",
"url": "https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377"
},
{
"name": "https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html",
"refsource": "MISC",
"url": "https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15073",
"datePublished": "2020-07-08T19:22:07",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:21.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12639 (GCVE-0-2020-12639)
Vulnerability from cvelistv5
Published
2020-05-04 13:36
Modified
2024-08-04 12:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.239Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-3-release-notes/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpList/phplist3/compare/3.5.2...3.5.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-04T13:36:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-3-release-notes/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpList/phplist3/compare/3.5.2...3.5.3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12639",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.phplist.org/newslist/phplist-3-5-3-release-notes/",
"refsource": "MISC",
"url": "https://www.phplist.org/newslist/phplist-3-5-3-release-notes/"
},
{
"name": "https://github.com/phpList/phplist3/compare/3.5.2...3.5.3",
"refsource": "MISC",
"url": "https://github.com/phpList/phplist3/compare/3.5.2...3.5.3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12639",
"datePublished": "2020-05-04T13:36:59",
"dateReserved": "2020-05-04T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-23207 (GCVE-0-2020-23207)
Vulnerability from cvelistv5
Published
2021-07-01 20:09
Modified
2024-08-04 14:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Edit Values" field under the "Configure Attributes" module.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpList/phplist3/issues/664"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Edit Values\" field under the \"Configure Attributes\" module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-01T20:09:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpList/phplist3/issues/664"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23207",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Edit Values\" field under the \"Configure Attributes\" module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpList/phplist3/issues/664",
"refsource": "MISC",
"url": "https://github.com/phpList/phplist3/issues/664"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23207",
"datePublished": "2021-07-01T20:09:53",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:14.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4246 (GCVE-0-2012-4246)
Vulnerability from cvelistv5
Published
2012-08-12 00:00
Modified
2024-09-17 02:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the (2) footer, (3) status, or (4) testtarget parameter in the send page.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:28:07.747Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.httpcs.com/advisory/httpcs25"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.phplist.com/?lid=579"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.httpcs.com/advisory/httpcs24"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.httpcs.com/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.httpcs.com/advisory/httpcs23"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.httpcs.com/advisory/httpcs26"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the (2) footer, (3) status, or (4) testtarget parameter in the send page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-08-12T00:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.httpcs.com/advisory/httpcs25"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.phplist.com/?lid=579"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.httpcs.com/advisory/httpcs24"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.httpcs.com/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.httpcs.com/advisory/httpcs23"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.httpcs.com/advisory/httpcs26"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-4246",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the (2) footer, (3) status, or (4) testtarget parameter in the send page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.httpcs.com/advisory/httpcs25",
"refsource": "MISC",
"url": "https://www.httpcs.com/advisory/httpcs25"
},
{
"name": "http://www.phplist.com/?lid=579",
"refsource": "CONFIRM",
"url": "http://www.phplist.com/?lid=579"
},
{
"name": "https://www.httpcs.com/advisory/httpcs24",
"refsource": "MISC",
"url": "https://www.httpcs.com/advisory/httpcs24"
},
{
"name": "https://www.httpcs.com/advisories",
"refsource": "MISC",
"url": "https://www.httpcs.com/advisories"
},
{
"name": "https://www.httpcs.com/advisory/httpcs23",
"refsource": "MISC",
"url": "https://www.httpcs.com/advisory/httpcs23"
},
{
"name": "https://www.httpcs.com/advisory/httpcs26",
"refsource": "MISC",
"url": "https://www.httpcs.com/advisory/httpcs26"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-4246",
"datePublished": "2012-08-12T00:00:00Z",
"dateReserved": "2012-08-11T00:00:00Z",
"dateUpdated": "2024-09-17T02:21:49.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2741 (GCVE-0-2012-2741)
Vulnerability from cvelistv5
Published
2012-09-06 17:00
Modified
2024-09-16 20:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a reconcileusers action.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:42:32.501Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1027181",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1027181"
},
{
"name": "52657",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/52657"
},
{
"name": "[oss-security] 20120616 CVE request: phplist before 2.10.18 XSS and sql injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/16/1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mantis.phplist.com/view.php?id=16557"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php"
},
{
"name": "18639",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/18639"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.phplist.com/?lid=567"
},
{
"name": "[oss-security] 20120616 Re: CVE request: phplist before 2.10.18 XSS and sql injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/17/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a reconcileusers action."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-06T17:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "1027181",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1027181"
},
{
"name": "52657",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/52657"
},
{
"name": "[oss-security] 20120616 CVE request: phplist before 2.10.18 XSS and sql injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/16/1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mantis.phplist.com/view.php?id=16557"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php"
},
{
"name": "18639",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/18639"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.phplist.com/?lid=567"
},
{
"name": "[oss-security] 20120616 Re: CVE request: phplist before 2.10.18 XSS and sql injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/17/2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-2741",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a reconcileusers action."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1027181",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1027181"
},
{
"name": "52657",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/52657"
},
{
"name": "[oss-security] 20120616 CVE request: phplist before 2.10.18 XSS and sql injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/06/16/1"
},
{
"name": "https://mantis.phplist.com/view.php?id=16557",
"refsource": "MISC",
"url": "https://mantis.phplist.com/view.php?id=16557"
},
{
"name": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php",
"refsource": "MISC",
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php"
},
{
"name": "18639",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/18639"
},
{
"name": "https://www.phplist.com/?lid=567",
"refsource": "CONFIRM",
"url": "https://www.phplist.com/?lid=567"
},
{
"name": "[oss-security] 20120616 Re: CVE request: phplist before 2.10.18 XSS and sql injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/06/17/2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-2741",
"datePublished": "2012-09-06T17:00:00Z",
"dateReserved": "2012-05-14T00:00:00Z",
"dateUpdated": "2024-09-16T20:06:26.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2916 (GCVE-0-2014-2916)
Vulnerability from cvelistv5
Published
2014-05-05 16:00
Modified
2024-08-06 10:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:28:46.208Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "57893",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57893"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://labs.davidsopas.com/2014/04/phplist-csrf-on-subscription-page.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.phplist.com/?lid=638"
},
{
"name": "1030191",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1030191"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-05-12T18:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "57893",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57893"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://labs.davidsopas.com/2014/04/phplist-csrf-on-subscription-page.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.phplist.com/?lid=638"
},
{
"name": "1030191",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1030191"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2916",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "57893",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57893"
},
{
"name": "http://labs.davidsopas.com/2014/04/phplist-csrf-on-subscription-page.html",
"refsource": "MISC",
"url": "http://labs.davidsopas.com/2014/04/phplist-csrf-on-subscription-page.html"
},
{
"name": "http://www.phplist.com/?lid=638",
"refsource": "CONFIRM",
"url": "http://www.phplist.com/?lid=638"
},
{
"name": "1030191",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1030191"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2916",
"datePublished": "2014-05-05T16:00:00",
"dateReserved": "2014-04-18T00:00:00",
"dateUpdated": "2024-08-06T10:28:46.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-3952 (GCVE-0-2012-3952)
Vulnerability from cvelistv5
Published
2012-08-12 00:00
Modified
2024-08-06 20:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:21:04.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.phplist.com/?lid=579"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23100"
},
{
"name": "phplist-unconfirmed-xss(77526)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/77526"
},
{
"name": "54887",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/54887"
},
{
"name": "20120808 Multiple Vulnerabilities in phpList",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html"
},
{
"name": "50150",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/50150"
},
{
"name": "84482",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/84482"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-08-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.phplist.com/?lid=579"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23100"
},
{
"name": "phplist-unconfirmed-xss(77526)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/77526"
},
{
"name": "54887",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/54887"
},
{
"name": "20120808 Multiple Vulnerabilities in phpList",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html"
},
{
"name": "50150",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/50150"
},
{
"name": "84482",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/84482"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-3952",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.phplist.com/?lid=579",
"refsource": "CONFIRM",
"url": "http://www.phplist.com/?lid=579"
},
{
"name": "https://www.htbridge.com/advisory/HTB23100",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23100"
},
{
"name": "phplist-unconfirmed-xss(77526)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/77526"
},
{
"name": "54887",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/54887"
},
{
"name": "20120808 Multiple Vulnerabilities in phpList",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html"
},
{
"name": "50150",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/50150"
},
{
"name": "84482",
"refsource": "OSVDB",
"url": "http://osvdb.org/84482"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-3952",
"datePublished": "2012-08-12T00:00:00",
"dateReserved": "2012-07-11T00:00:00",
"dateUpdated": "2024-08-06T20:21:04.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-3953 (GCVE-0-2012-3953)
Vulnerability from cvelistv5
Published
2012-08-12 00:00
Modified
2024-08-06 20:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:21:04.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.phplist.com/?lid=579"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23100"
},
{
"name": "20120808 Multiple Vulnerabilities in phpList",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html"
},
{
"name": "84483",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/84483"
},
{
"name": "phplist-delete-sql-injection(77527)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/77527"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-08-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.phplist.com/?lid=579"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23100"
},
{
"name": "20120808 Multiple Vulnerabilities in phpList",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html"
},
{
"name": "84483",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/84483"
},
{
"name": "phplist-delete-sql-injection(77527)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/77527"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-3953",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.phplist.com/?lid=579",
"refsource": "CONFIRM",
"url": "http://www.phplist.com/?lid=579"
},
{
"name": "https://www.htbridge.com/advisory/HTB23100",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23100"
},
{
"name": "20120808 Multiple Vulnerabilities in phpList",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html"
},
{
"name": "84483",
"refsource": "OSVDB",
"url": "http://osvdb.org/84483"
},
{
"name": "phplist-delete-sql-injection(77527)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/77527"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-3953",
"datePublished": "2012-08-12T00:00:00",
"dateReserved": "2012-07-11T00:00:00",
"dateUpdated": "2024-08-06T20:21:04.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-23192 (GCVE-0-2020-23192)
Vulnerability from cvelistv5
Published
2021-07-02 17:51
Modified
2024-08-04 14:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload in the "admin" parameter under the "Manage administrators" module.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.436Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpList/phplist3/issues/671"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload in the \"admin\" parameter under the \"Manage administrators\" module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-02T17:51:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpList/phplist3/issues/671"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23192",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload in the \"admin\" parameter under the \"Manage administrators\" module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpList/phplist3/issues/671",
"refsource": "MISC",
"url": "https://github.com/phpList/phplist3/issues/671"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23192",
"datePublished": "2021-07-02T17:51:20",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:14.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4247 (GCVE-0-2012-4247)
Vulnerability from cvelistv5
Published
2012-08-12 00:00
Modified
2024-09-16 18:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, or (5) remote_prefix parameter to the import4 page; or the (6) id parameter to the bouncerule page.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:28:07.683Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.phplist.com/?lid=579"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.httpcs.com/advisory/httpcs1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.httpcs.com/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.httpcs.com/advisory/httpcs4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.httpcs.com/advisory/httpcs3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.httpcs.com/advisory/httpcs2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.httpcs.com/advisory/httpcs6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.httpcs.com/advisory/httpcs7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, or (5) remote_prefix parameter to the import4 page; or the (6) id parameter to the bouncerule page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-08-12T00:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.phplist.com/?lid=579"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.httpcs.com/advisory/httpcs1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.httpcs.com/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.httpcs.com/advisory/httpcs4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.httpcs.com/advisory/httpcs3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.httpcs.com/advisory/httpcs2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.httpcs.com/advisory/httpcs6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.httpcs.com/advisory/httpcs7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-4247",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, or (5) remote_prefix parameter to the import4 page; or the (6) id parameter to the bouncerule page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.phplist.com/?lid=579",
"refsource": "CONFIRM",
"url": "http://www.phplist.com/?lid=579"
},
{
"name": "https://www.httpcs.com/advisory/httpcs1",
"refsource": "MISC",
"url": "https://www.httpcs.com/advisory/httpcs1"
},
{
"name": "https://www.httpcs.com/advisories",
"refsource": "MISC",
"url": "https://www.httpcs.com/advisories"
},
{
"name": "https://www.httpcs.com/advisory/httpcs4",
"refsource": "MISC",
"url": "https://www.httpcs.com/advisory/httpcs4"
},
{
"name": "https://www.httpcs.com/advisory/httpcs3",
"refsource": "MISC",
"url": "https://www.httpcs.com/advisory/httpcs3"
},
{
"name": "https://www.httpcs.com/advisory/httpcs2",
"refsource": "MISC",
"url": "https://www.httpcs.com/advisory/httpcs2"
},
{
"name": "https://www.httpcs.com/advisory/httpcs6",
"refsource": "MISC",
"url": "https://www.httpcs.com/advisory/httpcs6"
},
{
"name": "https://www.httpcs.com/advisory/httpcs7",
"refsource": "MISC",
"url": "https://www.httpcs.com/advisory/httpcs7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-4247",
"datePublished": "2012-08-12T00:00:00Z",
"dateReserved": "2012-08-11T00:00:00Z",
"dateUpdated": "2024-09-16T18:54:38.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-20029 (GCVE-0-2017-20029)
Vulnerability from cvelistv5
Published
2022-06-10 09:30
Modified
2025-04-15 14:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - SQL Injection
Summary
A vulnerability was found in PHPList 3.2.6 and classified as critical. This issue affects some unknown processing of the file /lists/index.php of the component Edit Subscription. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| unspecified | PHPList |
Version: 3.2.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:24.944Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuldb.com/?id.98915"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2017-20029",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T16:56:19.172088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T14:28:38.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PHPList",
"vendor": "unspecified",
"versions": [
{
"status": "affected",
"version": "3.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in PHPList 3.2.6 and classified as critical. This issue affects some unknown processing of the file /lists/index.php of the component Edit Subscription. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-10T09:30:28.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuldb.com/?id.98915"
}
],
"title": "PHPList Edit Subscription index.php sql injection",
"x_generator": "vuldb.com",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@vuldb.com",
"ID": "CVE-2017-20029",
"REQUESTER": "cna@vuldb.com",
"STATE": "PUBLIC",
"TITLE": "PHPList Edit Subscription index.php sql injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PHPList",
"version": {
"version_data": [
{
"version_value": "3.2.6"
}
]
}
}
]
},
"vendor_name": ""
}
]
}
},
"credit": "Tim Coen",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in PHPList 3.2.6 and classified as critical. This issue affects some unknown processing of the file /lists/index.php of the component Edit Subscription. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
]
},
"generator": "vuldb.com",
"impact": {
"cvss": {
"baseScore": "7.3",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://seclists.org/fulldisclosure/2017/Mar/45",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"name": "https://vuldb.com/?id.98915",
"refsource": "MISC",
"url": "https://vuldb.com/?id.98915"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2017-20029",
"datePublished": "2022-06-10T09:30:28.000Z",
"dateReserved": "2022-06-05T00:00:00.000Z",
"dateUpdated": "2025-04-15T14:28:38.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2740 (GCVE-0-2012-2740)
Vulnerability from cvelistv5
Published
2012-09-06 17:00
Modified
2024-09-16 18:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:42:32.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1027181",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1027181"
},
{
"name": "52657",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/52657"
},
{
"name": "[oss-security] 20120616 CVE request: phplist before 2.10.18 XSS and sql injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/16/1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mantis.phplist.com/view.php?id=16557"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php"
},
{
"name": "18639",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/18639"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.phplist.com/?lid=567"
},
{
"name": "[oss-security] 20120616 Re: CVE request: phplist before 2.10.18 XSS and sql injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/17/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-06T17:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "1027181",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1027181"
},
{
"name": "52657",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/52657"
},
{
"name": "[oss-security] 20120616 CVE request: phplist before 2.10.18 XSS and sql injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/16/1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mantis.phplist.com/view.php?id=16557"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php"
},
{
"name": "18639",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/18639"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.phplist.com/?lid=567"
},
{
"name": "[oss-security] 20120616 Re: CVE request: phplist before 2.10.18 XSS and sql injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/17/2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-2740",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1027181",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1027181"
},
{
"name": "52657",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/52657"
},
{
"name": "[oss-security] 20120616 CVE request: phplist before 2.10.18 XSS and sql injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/06/16/1"
},
{
"name": "https://mantis.phplist.com/view.php?id=16557",
"refsource": "MISC",
"url": "https://mantis.phplist.com/view.php?id=16557"
},
{
"name": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php",
"refsource": "MISC",
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php"
},
{
"name": "18639",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/18639"
},
{
"name": "https://www.phplist.com/?lid=567",
"refsource": "CONFIRM",
"url": "https://www.phplist.com/?lid=567"
},
{
"name": "[oss-security] 20120616 Re: CVE request: phplist before 2.10.18 XSS and sql injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/06/17/2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-2740",
"datePublished": "2012-09-06T17:00:00Z",
"dateReserved": "2012-05-14T00:00:00Z",
"dateUpdated": "2024-09-16T18:03:41.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-28073 (GCVE-0-2025-28073)
Vulnerability from cvelistv5
Published
2025-05-08 00:00
Modified
2025-06-07 18:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-28073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T18:26:32.522107Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T18:28:52.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-07T18:47:04.353Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/phpList/phplist3"
},
{
"url": "https://github.com/mLniumm/CVE-2025-28073"
},
{
"url": "https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15"
},
{
"url": "https://www.phplist.org/newslist/phplist-3-6-15-release-notes/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-28073",
"datePublished": "2025-05-08T00:00:00.000Z",
"dateReserved": "2025-03-11T00:00:00.000Z",
"dateUpdated": "2025-06-07T18:47:04.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-6178 (GCVE-0-2008-6178)
Vulnerability from cvelistv5
Published
2009-02-19 16:00
Modified
2024-08-07 11:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as used in Falt4 CMS, Nuke ET, and other products, allows remote attackers to execute arbitrary code by creating a file with PHP sequences preceded by a ZIP header, uploading this file via a FileUpload action with the application/zip content type, and then accessing this file via a direct request to the file in UserFiles/File/, probably a related issue to CVE-2005-4094. NOTE: some of these details are obtained from third party information.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:20:25.361Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "31812",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31812"
},
{
"name": "33973",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33973"
},
{
"name": "ADV-2009-0447",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/0447"
},
{
"name": "falt4-fckeditor-file-upload(48769)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48769"
},
{
"name": "8060",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/8060"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-10-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as used in Falt4 CMS, Nuke ET, and other products, allows remote attackers to execute arbitrary code by creating a file with PHP sequences preceded by a ZIP header, uploading this file via a FileUpload action with the application/zip content type, and then accessing this file via a direct request to the file in UserFiles/File/, probably a related issue to CVE-2005-4094. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "31812",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31812"
},
{
"name": "33973",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33973"
},
{
"name": "ADV-2009-0447",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/0447"
},
{
"name": "falt4-fckeditor-file-upload(48769)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48769"
},
{
"name": "8060",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/8060"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-6178",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as used in Falt4 CMS, Nuke ET, and other products, allows remote attackers to execute arbitrary code by creating a file with PHP sequences preceded by a ZIP header, uploading this file via a FileUpload action with the application/zip content type, and then accessing this file via a direct request to the file in UserFiles/File/, probably a related issue to CVE-2005-4094. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "31812",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31812"
},
{
"name": "33973",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33973"
},
{
"name": "ADV-2009-0447",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/0447"
},
{
"name": "falt4-fckeditor-file-upload(48769)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48769"
},
{
"name": "8060",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/8060"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-6178",
"datePublished": "2009-02-19T16:00:00",
"dateReserved": "2009-02-19T00:00:00",
"dateUpdated": "2024-08-07T11:20:25.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36398 (GCVE-0-2020-36398)
Vulnerability from cvelistv5
Published
2021-07-02 17:51
Modified
2024-08-04 17:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "Campaign" field under the "Send a campaign" module.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpList/phplist3/issues/676"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the \"Campaign\" field under the \"Send a campaign\" module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-02T17:51:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpList/phplist3/issues/676"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36398",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the \"Campaign\" field under the \"Send a campaign\" module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpList/phplist3/issues/676",
"refsource": "MISC",
"url": "https://github.com/phpList/phplist3/issues/676"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36398",
"datePublished": "2021-07-02T17:51:30",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-08-04T17:23:10.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-20034 (GCVE-0-2017-20034)
Vulnerability from cvelistv5
Published
2022-06-10 09:30
Modified
2025-04-15 14:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-80 - Basic Cross Site Scripting
Summary
A vulnerability classified as problematic was found in PHPList 3.2.6. This vulnerability affects unknown code of the file /lists/admin/ of the component List Name. The manipulation leads to cross site scripting (Persistent). The attack can be initiated remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| unspecified | PHPList |
Version: 3.2.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:24.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuldb.com/?id.98920"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2017-20034",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:12:07.599202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T14:27:44.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PHPList",
"vendor": "unspecified",
"versions": [
{
"status": "affected",
"version": "3.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic was found in PHPList 3.2.6. This vulnerability affects unknown code of the file /lists/admin/ of the component List Name. The manipulation leads to cross site scripting (Persistent). The attack can be initiated remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Basic Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-10T09:30:36.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuldb.com/?id.98920"
}
],
"title": "PHPList List Name Persistent cross site scriting",
"x_generator": "vuldb.com",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@vuldb.com",
"ID": "CVE-2017-20034",
"REQUESTER": "cna@vuldb.com",
"STATE": "PUBLIC",
"TITLE": "PHPList List Name Persistent cross site scriting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PHPList",
"version": {
"version_data": [
{
"version_value": "3.2.6"
}
]
}
}
]
},
"vendor_name": ""
}
]
}
},
"credit": "Tim Coen",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability classified as problematic was found in PHPList 3.2.6. This vulnerability affects unknown code of the file /lists/admin/ of the component List Name. The manipulation leads to cross site scripting (Persistent). The attack can be initiated remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
]
},
"generator": "vuldb.com",
"impact": {
"cvss": {
"baseScore": "3.5",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80 Basic Cross Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://seclists.org/fulldisclosure/2017/Mar/46",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"name": "https://vuldb.com/?id.98920",
"refsource": "MISC",
"url": "https://vuldb.com/?id.98920"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2017-20034",
"datePublished": "2022-06-10T09:30:36.000Z",
"dateReserved": "2022-06-05T00:00:00.000Z",
"dateUpdated": "2025-04-15T14:27:44.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-23361 (GCVE-0-2020-23361)
Vulnerability from cvelistv5
Published
2021-01-27 15:30
Modified
2024-08-04 14:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:15.179Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpList/phplist3/issues/668"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-27T15:30:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpList/phplist3/issues/668"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23361",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpList/phplist3/issues/668",
"refsource": "MISC",
"url": "https://github.com/phpList/phplist3/issues/668"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23361",
"datePublished": "2021-01-27T15:30:07",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:15.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15072 (GCVE-0-2020-15072)
Vulnerability from cvelistv5
Published
2020-07-08 19:24
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-5-release-notes/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-07-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-09T15:48:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-5-release-notes/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15072",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.phplist.org/newslist/phplist-3-5-5-release-notes/",
"refsource": "CONFIRM",
"url": "https://www.phplist.org/newslist/phplist-3-5-5-release-notes/"
},
{
"name": "https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377",
"refsource": "CONFIRM",
"url": "https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377"
},
{
"name": "https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html",
"refsource": "MISC",
"url": "https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15072",
"datePublished": "2020-07-08T19:24:34",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:21.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-23190 (GCVE-0-2020-23190)
Vulnerability from cvelistv5
Published
2021-07-02 17:51
Modified
2024-08-04 14:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross site scripting (XSS) vulnerability in the "Import emails" module in phplist 3.5.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpList/phplist3/issues/667"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in the \"Import emails\" module in phplist 3.5.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-02T17:51:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpList/phplist3/issues/667"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23190",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross site scripting (XSS) vulnerability in the \"Import emails\" module in phplist 3.5.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpList/phplist3/issues/667",
"refsource": "MISC",
"url": "https://github.com/phpList/phplist3/issues/667"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23190",
"datePublished": "2021-07-02T17:51:18",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:14.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8547 (GCVE-0-2020-8547)
Vulnerability from cvelistv5
Published
2020-02-03 15:52
Modified
2024-08-04 10:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.119Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/47989"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-03T15:52:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/47989"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8547",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.exploit-db.com/exploits/47989",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/47989"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8547",
"datePublished": "2020-02-03T15:52:13",
"dateReserved": "2020-02-03T00:00:00",
"dateUpdated": "2024-08-04T10:03:46.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-23208 (GCVE-0-2020-23208)
Vulnerability from cvelistv5
Published
2021-07-01 20:10
Modified
2024-08-04 14:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Send test" field under the "Start or continue campaign" module.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.742Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpList/phplist3/issues/665"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Send test\" field under the \"Start or continue campaign\" module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-01T20:10:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpList/phplist3/issues/665"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23208",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Send test\" field under the \"Start or continue campaign\" module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpList/phplist3/issues/665",
"refsource": "MISC",
"url": "https://github.com/phpList/phplist3/issues/665"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23208",
"datePublished": "2021-07-01T20:10:45",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:14.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-22251 (GCVE-0-2020-22251)
Vulnerability from cvelistv5
Published
2021-07-06 19:20
Modified
2024-08-04 14:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross Site Scripting (XSS) vulnerability in phpList 3.5.3 via the login name field in Manage Administrators when adding a new admin.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:51:10.730Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpList/phplist3/issues/660"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) vulnerability in phpList 3.5.3 via the login name field in Manage Administrators when adding a new admin."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-06T19:20:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpList/phplist3/issues/660"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-22251",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) vulnerability in phpList 3.5.3 via the login name field in Manage Administrators when adding a new admin."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpList/phplist3/issues/660",
"refsource": "MISC",
"url": "https://github.com/phpList/phplist3/issues/660"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-22251",
"datePublished": "2021-07-06T19:20:03",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:51:10.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-23209 (GCVE-0-2020-23209)
Vulnerability from cvelistv5
Published
2021-07-01 20:12
Modified
2024-08-04 14:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "List Description" field under the "Edit A List" module.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.552Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpList/phplist3/issues/666"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"List Description\" field under the \"Edit A List\" module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-01T20:12:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpList/phplist3/issues/666"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23209",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"List Description\" field under the \"Edit A List\" module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpList/phplist3/issues/666",
"refsource": "MISC",
"url": "https://github.com/phpList/phplist3/issues/666"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23209",
"datePublished": "2021-07-01T20:12:03",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:14.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-23217 (GCVE-0-2020-23217)
Vulnerability from cvelistv5
Published
2021-07-01 20:13
Modified
2024-08-04 14:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add a list" field under the "Import Emails" module.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.758Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-4-release-notes/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpList/phplist3/issues/672"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Add a list\" field under the \"Import Emails\" module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-01T20:13:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-4-release-notes/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpList/phplist3/issues/672"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23217",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Add a list\" field under the \"Import Emails\" module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.phplist.org/newslist/phplist-3-5-4-release-notes/",
"refsource": "MISC",
"url": "https://www.phplist.org/newslist/phplist-3-5-4-release-notes/"
},
{
"name": "https://github.com/phpList/phplist3/issues/672",
"refsource": "MISC",
"url": "https://github.com/phpList/phplist3/issues/672"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23217",
"datePublished": "2021-07-01T20:13:55",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:14.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-20033 (GCVE-0-2017-20033)
Vulnerability from cvelistv5
Published
2022-06-10 09:30
Modified
2025-04-15 14:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-80 - Basic Cross Site Scripting
Summary
A vulnerability classified as problematic has been found in PHPList 3.2.6. This affects an unknown part of the file /lists/admin/. The manipulation of the argument page with the input send\'\";><script>alert(8)</script> leads to cross site scripting (Reflected). It is possible to initiate the attack remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| unspecified | PHPList |
Version: 3.2.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:24.961Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuldb.com/?id.98919"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2017-20033",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:12:11.536634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T14:27:56.847Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PHPList",
"vendor": "unspecified",
"versions": [
{
"status": "affected",
"version": "3.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic has been found in PHPList 3.2.6. This affects an unknown part of the file /lists/admin/. The manipulation of the argument page with the input send\\\u0027\\\";\u003e\u003cscript\u003ealert(8)\u003c/script\u003e leads to cross site scripting (Reflected). It is possible to initiate the attack remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Basic Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-10T09:30:34.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuldb.com/?id.98919"
}
],
"title": "PHPList Reflected cross site scriting",
"x_generator": "vuldb.com",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@vuldb.com",
"ID": "CVE-2017-20033",
"REQUESTER": "cna@vuldb.com",
"STATE": "PUBLIC",
"TITLE": "PHPList Reflected cross site scriting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PHPList",
"version": {
"version_data": [
{
"version_value": "3.2.6"
}
]
}
}
]
},
"vendor_name": ""
}
]
}
},
"credit": "Tim Coen",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability classified as problematic has been found in PHPList 3.2.6. This affects an unknown part of the file /lists/admin/. The manipulation of the argument page with the input send\\\u0027\\\";\u003e\u003cscript\u003ealert(8)\u003c/script\u003e leads to cross site scripting (Reflected). It is possible to initiate the attack remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
]
},
"generator": "vuldb.com",
"impact": {
"cvss": {
"baseScore": "4.3",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80 Basic Cross Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://seclists.org/fulldisclosure/2017/Mar/46",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"name": "https://vuldb.com/?id.98919",
"refsource": "MISC",
"url": "https://vuldb.com/?id.98919"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2017-20033",
"datePublished": "2022-06-10T09:30:34.000Z",
"dateReserved": "2022-06-05T00:00:00.000Z",
"dateUpdated": "2025-04-15T14:27:56.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13827 (GCVE-0-2020-13827)
Vulnerability from cvelistv5
Published
2020-06-04 14:48
Modified
2024-08-04 12:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:25:16.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-4-release-notes/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-004"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-27T11:58:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-4-release-notes/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-004"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13827",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.phplist.org/newslist/phplist-3-5-4-release-notes/",
"refsource": "MISC",
"url": "https://www.phplist.org/newslist/phplist-3-5-4-release-notes/"
},
{
"name": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-004",
"refsource": "MISC",
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-004"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13827",
"datePublished": "2020-06-04T14:48:05",
"dateReserved": "2020-06-04T00:00:00",
"dateUpdated": "2024-08-04T12:25:16.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-28074 (GCVE-0-2025-28074)
Vulnerability from cvelistv5
Published
2025-05-08 00:00
Modified
2025-06-07 14:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-28074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T21:49:07.126779Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T22:05:56.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-07T14:42:05.947Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/phpList/phplist3/blob/main/public_html/lists/lt.php"
},
{
"url": "https://github.com/mLniumm/CVE-2025-28074"
},
{
"url": "https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15"
},
{
"url": "https://www.phplist.org/newslist/phplist-3-6-15-release-notes/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-28074",
"datePublished": "2025-05-08T00:00:00.000Z",
"dateReserved": "2025-03-11T00:00:00.000Z",
"dateUpdated": "2025-06-07T14:42:05.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3188 (GCVE-0-2021-3188)
Vulnerability from cvelistv5
Published
2021-01-21 06:54
Modified
2024-08-03 16:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.412Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wehackmx.com/security-research/WeHackMX-2021-001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-21T06:54:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wehackmx.com/security-research/WeHackMX-2021-001/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-3188",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wehackmx.com/security-research/WeHackMX-2021-001/",
"refsource": "MISC",
"url": "https://wehackmx.com/security-research/WeHackMX-2021-001/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-3188",
"datePublished": "2021-01-21T06:54:34",
"dateReserved": "2021-01-21T00:00:00",
"dateUpdated": "2024-08-03T16:45:51.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36399 (GCVE-0-2020-36399)
Vulnerability from cvelistv5
Published
2021-07-02 17:51
Modified
2024-08-04 17:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "rule1" parameter under the "Bounce Rules" module.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.551Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpList/phplist3/issues/675"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the \"rule1\" parameter under the \"Bounce Rules\" module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-02T17:51:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpList/phplist3/issues/675"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36399",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the \"rule1\" parameter under the \"Bounce Rules\" module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpList/phplist3/issues/675",
"refsource": "MISC",
"url": "https://github.com/phpList/phplist3/issues/675"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36399",
"datePublished": "2021-07-02T17:51:32",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-08-04T17:23:10.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-22249 (GCVE-0-2020-22249)
Vulnerability from cvelistv5
Published
2021-07-06 19:47
Modified
2024-08-04 14:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Remote Code Execution vulnerability in phplist 3.5.1. The application does not check any file extensions stored in the plugin zip file, Uploading a malicious plugin which contains the php files with extensions like PHP,phtml,php7 will be copied to the plugins directory which would lead to the remote code execution
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:51:10.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://drive.google.com/open?id=1znDU4fDKA_seg16mJLLtgaaFfvmf-mS6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Remote Code Execution vulnerability in phplist 3.5.1. The application does not check any file extensions stored in the plugin zip file, Uploading a malicious plugin which contains the php files with extensions like PHP,phtml,php7 will be copied to the plugins directory which would lead to the remote code execution"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-06T19:47:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/open?id=1znDU4fDKA_seg16mJLLtgaaFfvmf-mS6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-22249",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Remote Code Execution vulnerability in phplist 3.5.1. The application does not check any file extensions stored in the plugin zip file, Uploading a malicious plugin which contains the php files with extensions like PHP,phtml,php7 will be copied to the plugins directory which would lead to the remote code execution"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://drive.google.com/open?id=1znDU4fDKA_seg16mJLLtgaaFfvmf-mS6",
"refsource": "MISC",
"url": "https://drive.google.com/open?id=1znDU4fDKA_seg16mJLLtgaaFfvmf-mS6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-22249",
"datePublished": "2021-07-06T19:47:39",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:51:10.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-20032 (GCVE-0-2017-20032)
Vulnerability from cvelistv5
Published
2022-06-10 09:30
Modified
2025-04-15 14:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - SQL Injection
Summary
A vulnerability was found in PHPList 3.2.6. It has been rated as critical. Affected by this issue is some unknown functionality of the component Subscription. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| unspecified | PHPList |
Version: 3.2.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:25.092Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuldb.com/?id.98918"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2017-20032",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:12:16.252359Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T14:28:07.054Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PHPList",
"vendor": "unspecified",
"versions": [
{
"status": "affected",
"version": "3.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in PHPList 3.2.6. It has been rated as critical. Affected by this issue is some unknown functionality of the component Subscription. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-10T09:30:33.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuldb.com/?id.98918"
}
],
"title": "PHPList Subscription sql injection",
"x_generator": "vuldb.com",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@vuldb.com",
"ID": "CVE-2017-20032",
"REQUESTER": "cna@vuldb.com",
"STATE": "PUBLIC",
"TITLE": "PHPList Subscription sql injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PHPList",
"version": {
"version_data": [
{
"version_value": "3.2.6"
}
]
}
}
]
},
"vendor_name": ""
}
]
}
},
"credit": "Tim Coen",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in PHPList 3.2.6. It has been rated as critical. Affected by this issue is some unknown functionality of the component Subscription. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
]
},
"generator": "vuldb.com",
"impact": {
"cvss": {
"baseScore": "6.3",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://seclists.org/fulldisclosure/2017/Mar/45",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"name": "https://vuldb.com/?id.98918",
"refsource": "MISC",
"url": "https://vuldb.com/?id.98918"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2017-20032",
"datePublished": "2022-06-10T09:30:33.000Z",
"dateReserved": "2022-06-05T00:00:00.000Z",
"dateUpdated": "2025-04-15T14:28:07.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-20031 (GCVE-0-2017-20031)
Vulnerability from cvelistv5
Published
2022-06-10 09:30
Modified
2025-04-15 14:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Information Disclosure
Summary
A vulnerability was found in PHPList 3.2.6. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument sortby with the input password leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| unspecified | PHPList |
Version: 3.2.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:24.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuldb.com/?id.98917"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2017-20031",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:12:20.670534Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T14:28:16.792Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PHPList",
"vendor": "unspecified",
"versions": [
{
"status": "affected",
"version": "3.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in PHPList 3.2.6. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument sortby with the input password leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-10T09:30:31.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuldb.com/?id.98917"
}
],
"title": "PHPList information disclosure",
"x_generator": "vuldb.com",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@vuldb.com",
"ID": "CVE-2017-20031",
"REQUESTER": "cna@vuldb.com",
"STATE": "PUBLIC",
"TITLE": "PHPList information disclosure"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PHPList",
"version": {
"version_data": [
{
"version_value": "3.2.6"
}
]
}
}
]
},
"vendor_name": ""
}
]
}
},
"credit": "Tim Coen",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in PHPList 3.2.6. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument sortby with the input password leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
]
},
"generator": "vuldb.com",
"impact": {
"cvss": {
"baseScore": "2.7",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://seclists.org/fulldisclosure/2017/Mar/45",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"name": "https://vuldb.com/?id.98917",
"refsource": "MISC",
"url": "https://vuldb.com/?id.98917"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2017-20031",
"datePublished": "2022-06-10T09:30:31.000Z",
"dateReserved": "2022-06-05T00:00:00.000Z",
"dateUpdated": "2025-04-15T14:28:16.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-23194 (GCVE-0-2020-23194)
Vulnerability from cvelistv5
Published
2021-07-02 17:51
Modified
2024-08-04 14:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross site scripting (XSS) vulnerability in the "Import Subscribers" feature in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.541Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpList/phplist3/issues/678"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in the \"Import Subscribers\" feature in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-02T17:51:23",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpList/phplist3/issues/678"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23194",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross site scripting (XSS) vulnerability in the \"Import Subscribers\" feature in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpList/phplist3/issues/678",
"refsource": "MISC",
"url": "https://github.com/phpList/phplist3/issues/678"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23194",
"datePublished": "2021-07-02T17:51:23",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:14.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-20030 (GCVE-0-2017-20030)
Vulnerability from cvelistv5
Published
2022-06-10 09:30
Modified
2025-04-15 14:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - SQL Injection
Summary
A vulnerability was found in PHPList 3.2.6. It has been classified as critical. Affected is an unknown function of the file /lists/admin/ of the component Sending Campain. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| unspecified | PHPList |
Version: 3.2.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:25.021Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuldb.com/?id.98916"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2017-20030",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:12:24.919981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T14:28:27.362Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PHPList",
"vendor": "unspecified",
"versions": [
{
"status": "affected",
"version": "3.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in PHPList 3.2.6. It has been classified as critical. Affected is an unknown function of the file /lists/admin/ of the component Sending Campain. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-10T09:30:30.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuldb.com/?id.98916"
}
],
"title": "PHPList Sending Campain sql injection",
"x_generator": "vuldb.com",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@vuldb.com",
"ID": "CVE-2017-20030",
"REQUESTER": "cna@vuldb.com",
"STATE": "PUBLIC",
"TITLE": "PHPList Sending Campain sql injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PHPList",
"version": {
"version_data": [
{
"version_value": "3.2.6"
}
]
}
}
]
},
"vendor_name": ""
}
]
}
},
"credit": "Tim Coen",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in PHPList 3.2.6. It has been classified as critical. Affected is an unknown function of the file /lists/admin/ of the component Sending Campain. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
]
},
"generator": "vuldb.com",
"impact": {
"cvss": {
"baseScore": "4.7",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://seclists.org/fulldisclosure/2017/Mar/45",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"name": "https://vuldb.com/?id.98916",
"refsource": "MISC",
"url": "https://vuldb.com/?id.98916"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2017-20030",
"datePublished": "2022-06-10T09:30:30.000Z",
"dateReserved": "2022-06-05T00:00:00.000Z",
"dateUpdated": "2025-04-15T14:28:27.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-23214 (GCVE-0-2020-23214)
Vulnerability from cvelistv5
Published
2021-07-01 20:12
Modified
2024-08-04 14:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Configure categories" field under the "Categorise Lists" module.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.749Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpList/phplist3/issues/669"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Configure categories\" field under the \"Categorise Lists\" module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-01T20:12:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpList/phplist3/issues/669"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23214",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Configure categories\" field under the \"Categorise Lists\" module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpList/phplist3/issues/669",
"refsource": "MISC",
"url": "https://github.com/phpList/phplist3/issues/669"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23214",
"datePublished": "2021-07-01T20:12:51",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:14.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2006-5524 (GCVE-0-2006-5524)
Vulnerability from cvelistv5
Published
2006-10-26 16:00
Modified
2024-08-07 19:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in index.php in phplist 2.10.2 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: This issue might overlap CVE-2006-5321.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T19:55:52.979Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20577",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/20577/info"
},
{
"name": "20061016 [Xss] IN phplist v 2.10.2, \u0026copy;",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/448923/100/100/threaded"
},
{
"name": "22431",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/22431"
},
{
"name": "1779",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/1779"
},
{
"name": "1017102",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/alerts/2006/Oct/1017102.html"
},
{
"name": "ADV-2006-4084",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2006/4084"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-10-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in index.php in phplist 2.10.2 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: This issue might overlap CVE-2006-5321."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-17T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20577",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/20577/info"
},
{
"name": "20061016 [Xss] IN phplist v 2.10.2, \u0026copy;",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/448923/100/100/threaded"
},
{
"name": "22431",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/22431"
},
{
"name": "1779",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/1779"
},
{
"name": "1017102",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/alerts/2006/Oct/1017102.html"
},
{
"name": "ADV-2006-4084",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2006/4084"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-5524",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in index.php in phplist 2.10.2 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: This issue might overlap CVE-2006-5321."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20577",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/20577/info"
},
{
"name": "20061016 [Xss] IN phplist v 2.10.2, \u0026copy;",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/448923/100/100/threaded"
},
{
"name": "22431",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/22431"
},
{
"name": "1779",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/1779"
},
{
"name": "1017102",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/alerts/2006/Oct/1017102.html"
},
{
"name": "ADV-2006-4084",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2006/4084"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-5524",
"datePublished": "2006-10-26T16:00:00",
"dateReserved": "2006-10-26T00:00:00",
"dateUpdated": "2024-08-07T19:55:52.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-20035 (GCVE-0-2017-20035)
Vulnerability from cvelistv5
Published
2022-06-10 09:30
Modified
2025-04-15 14:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-80 - Basic Cross Site Scripting
Summary
A vulnerability, which was classified as problematic, has been found in PHPList 3.2.6. This issue affects some unknown processing of the file /lists/admin/ of the component Subscribe. The manipulation leads to cross site scripting (Persistent). The attack may be initiated remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| unspecified | PHPList |
Version: 3.2.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:24.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuldb.com/?id.98921"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2017-20035",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:12:03.533363Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T14:27:36.677Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PHPList",
"vendor": "unspecified",
"versions": [
{
"status": "affected",
"version": "3.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, has been found in PHPList 3.2.6. This issue affects some unknown processing of the file /lists/admin/ of the component Subscribe. The manipulation leads to cross site scripting (Persistent). The attack may be initiated remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Basic Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-10T09:30:37.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuldb.com/?id.98921"
}
],
"title": "PHPList Subscribe Persistent cross site scriting",
"x_generator": "vuldb.com",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@vuldb.com",
"ID": "CVE-2017-20035",
"REQUESTER": "cna@vuldb.com",
"STATE": "PUBLIC",
"TITLE": "PHPList Subscribe Persistent cross site scriting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PHPList",
"version": {
"version_data": [
{
"version_value": "3.2.6"
}
]
}
}
]
},
"vendor_name": ""
}
]
}
},
"credit": "Tim Coen",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability, which was classified as problematic, has been found in PHPList 3.2.6. This issue affects some unknown processing of the file /lists/admin/ of the component Subscribe. The manipulation leads to cross site scripting (Persistent). The attack may be initiated remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
}
]
},
"generator": "vuldb.com",
"impact": {
"cvss": {
"baseScore": "3.5",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80 Basic Cross Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://seclists.org/fulldisclosure/2017/Mar/46",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"name": "https://vuldb.com/?id.98921",
"refsource": "MISC",
"url": "https://vuldb.com/?id.98921"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2017-20035",
"datePublished": "2022-06-10T09:30:37.000Z",
"dateReserved": "2022-06-05T00:00:00.000Z",
"dateUpdated": "2025-04-15T14:27:36.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2022-06-10 10:15
Modified
2024-11-21 03:22
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability, which was classified as problematic, has been found in PHPList 3.2.6. This issue affects some unknown processing of the file /lists/admin/ of the component Subscribe. The manipulation leads to cross site scripting (Persistent). The attack may be initiated remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | http://seclists.org/fulldisclosure/2017/Mar/46 | Exploit, Mailing List, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.98921 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2017/Mar/46 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.98921 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "59A1CBC3-3FC5-418A-BB64-1071EDC4037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, has been found in PHPList 3.2.6. This issue affects some unknown processing of the file /lists/admin/ of the component Subscribe. The manipulation leads to cross site scripting (Persistent). The attack may be initiated remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad, clasificada como problem\u00e1tica, en PHPList versi\u00f3n 3.2.6. Este problema afecta a un procesamiento desconocido del archivo /lists/admin/ del componente Subscribe. La manipulaci\u00f3n conlleva a un ataque de tipo cross site scripting (Persistente). El ataque puede ser iniciado remotamente. La actualizaci\u00f3n a versi\u00f3n 3.3.1 puede abordar este problema. Es recomendado actualizar el componente afectado"
}
],
"id": "CVE-2017-20035",
"lastModified": "2024-11-21T03:22:29.747",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-10T10:15:08.830",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98921"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98921"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-05-08 21:15
Modified
2025-06-16 18:39
Severity ?
Summary
phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90C24A84-C600-49C0-B0A9-65C69BEA3F2C",
"versionEndExcluding": "3.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript."
},
{
"lang": "es",
"value": "Las versiones anteriores a phpList 3.6.3 son vulnerables a ataques de cross site scripting (XSS) debido a una depuraci\u00f3n incorrecta de la entrada en lt.php. Esta vulnerabilidad se puede explotar cuando la aplicaci\u00f3n hace referencia din\u00e1micamente a rutas internas y procesa entradas no confiables sin escapar, lo que permite a un atacante inyectar JavaScript malicioso."
}
],
"id": "CVE-2025-28074",
"lastModified": "2025-06-16T18:39:00.380",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-05-08T21:15:50.200",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mLniumm/CVE-2025-28074"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/phpList/phplist3/blob/main/public_html/lists/lt.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.phplist.org/newslist/phplist-3-6-15-release-notes/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-10 10:15
Modified
2024-11-21 03:22
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in PHPList 3.2.6. It has been rated as critical. Affected by this issue is some unknown functionality of the component Subscription. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | http://seclists.org/fulldisclosure/2017/Mar/45 | Exploit, Mailing List, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.98918 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2017/Mar/45 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.98918 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "59A1CBC3-3FC5-418A-BB64-1071EDC4037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in PHPList 3.2.6. It has been rated as critical. Affected by this issue is some unknown functionality of the component Subscription. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad en PHPList versi\u00f3n 3.2.6. Ha sido calificada como cr\u00edtica. Este problema afecta a una funcionalidad desconocida del componente Subscription. La manipulaci\u00f3n conlleva a una inyecci\u00f3n sql. El ataque puede ser lanzado remotamente. La explotaci\u00f3n ha sido revelada al p\u00fablico y puede ser usada. La actualizaci\u00f3n a versi\u00f3n 3.3.1 puede abordar este problema. Es recomendado actualizar el componente afectado"
}
],
"id": "CVE-2017-20032",
"lastModified": "2024-11-21T03:22:29.383",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-10T10:15:08.630",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98918"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98918"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-12 00:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the (2) footer, (3) status, or (4) testtarget parameter in the send page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| phplist | phplist | * | |
| phplist | phplist | 2.6.5 | |
| phplist | phplist | 2.7.1 | |
| phplist | phplist | 2.7.2 | |
| phplist | phplist | 2.8.2 | |
| phplist | phplist | 2.8.7 | |
| phplist | phplist | 2.8.12 | |
| phplist | phplist | 2.10.1 | |
| phplist | phplist | 2.10.2 | |
| phplist | phplist | 2.10.3 | |
| phplist | phplist | 2.10.4 | |
| phplist | phplist | 2.10.5 | |
| phplist | phplist | 2.10.7 | |
| phplist | phplist | 2.10.8 | |
| phplist | phplist | 2.10.9 | |
| phplist | phplist | 2.10.10 | |
| phplist | phplist | 2.10.11 | |
| phplist | phplist | 2.10.12 | |
| phplist | phplist | 2.10.13 | |
| phplist | phplist | 2.10.14 | |
| phplist | phplist | 2.10.15 | |
| phplist | phplist | 2.10.16 | |
| phplist | phplist | 2.10.17 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B68EDC00-D515-4707-AE6F-1D767B550A2E",
"versionEndIncluding": "2.10.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3B397B2A-72B7-47CB-8C6E-2316FAFB88CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "692FCE84-9520-48D0-8E5F-9B993C39FF0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "40839A8B-4D5F-480C-8B38-A50DEBF9DB72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0453EF7B-81B5-426C-B858-81B31F878A2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.8.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6523FE2E-A186-47E8-BB14-AA7EDCD14FBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.8.12:*:*:*:*:*:*:*",
"matchCriteriaId": "1ED97CCA-E672-408D-8B1D-1D8E4424AF9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FD0770F6-4C09-4D77-A25A-2D9C59B73795",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1AB6728E-74D6-4939-AA0F-6560678201CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7212A91B-F75D-43CB-90E3-7420C0EA861A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BFECF781-0084-4FBD-BD88-E55C85D9480C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C5492C3F-8833-4F66-B98F-C2B33AD1F14B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DDCD31A1-884A-4381-A31C-211FB0F5AA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.8:*:*:*:*:*:*:*",
"matchCriteriaId": "411A8211-874A-4861-A7BE-F5106E324DBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.9:*:*:*:*:*:*:*",
"matchCriteriaId": "C2AEB89F-A8F3-41A2-8EFF-DF1F121A087A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.10:*:*:*:*:*:*:*",
"matchCriteriaId": "F6245464-B7CC-4C38-A317-25864A8F4F4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.11:*:*:*:*:*:*:*",
"matchCriteriaId": "4A54E43F-4EB6-40DD-A18D-8A063C9CE4D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.12:*:*:*:*:*:*:*",
"matchCriteriaId": "249CAF32-29C8-4371-B4D6-72207C41BA8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.13:*:*:*:*:*:*:*",
"matchCriteriaId": "6BA31A08-C74F-4CDC-A644-68EAC4BA39E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.14:*:*:*:*:*:*:*",
"matchCriteriaId": "31A5082D-90A9-42A2-A08C-CCE8F7F53262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.15:*:*:*:*:*:*:*",
"matchCriteriaId": "531E8F27-4B50-4A8B-A6C4-0B617DAA6224",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.16:*:*:*:*:*:*:*",
"matchCriteriaId": "3B4496FE-646D-48BF-A1F4-F43CE623BE06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.17:*:*:*:*:*:*:*",
"matchCriteriaId": "D46171B6-6125-453B-9838-40BA5093B3C1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the (2) footer, (3) status, or (4) testtarget parameter in the send page."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en lists/admin/index.php en phpList anterior a v2.10.19, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro (1) page o (2) footer, (3) status, o (4) testtarget en la p\u00e1gina send."
}
],
"id": "CVE-2012-4246",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-08-12T00:55:01.137",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.phplist.com/?lid=579"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.httpcs.com/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.httpcs.com/advisory/httpcs23"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.httpcs.com/advisory/httpcs24"
},
{
"source": "cve@mitre.org",
"url": "https://www.httpcs.com/advisory/httpcs25"
},
{
"source": "cve@mitre.org",
"url": "https://www.httpcs.com/advisory/httpcs26"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.phplist.com/?lid=579"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.httpcs.com/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.httpcs.com/advisory/httpcs23"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.httpcs.com/advisory/httpcs24"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.httpcs.com/advisory/httpcs25"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.httpcs.com/advisory/httpcs26"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-10-26 16:07
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in index.php in phplist 2.10.2 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: This issue might overlap CVE-2006-5321.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1AB6728E-74D6-4939-AA0F-6560678201CA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in index.php in phplist 2.10.2 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: This issue might overlap CVE-2006-5321."
},
{
"lang": "es",
"value": "Vulnerabilidad de cruce de sitios en scripts (XSS) en index.php de phplist 2.10.2 permite a atacantes remotos inyectar scripts WEB o HTML de su elecci\u00f3n mediante el par\u00e1metro p.\r\nNOTA: Esta vulnerabilidad podr\u00eda sobreponerse con CVE-2006-5321."
}
],
"id": "CVE-2006-5524",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-10-26T16:07:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/22431"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/1779"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://securitytracker.com/alerts/2006/Oct/1017102.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/448923/100/100/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/20577/info"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2006/4084"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/22431"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/1779"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://securitytracker.com/alerts/2006/Oct/1017102.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/448923/100/100/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/20577/info"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2006/4084"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-27 16:15
Modified
2024-11-21 05:13
Severity ?
Summary
phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpList/phplist3/issues/668 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpList/phplist3/issues/668 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "75BC6689-BA8E-46E8-AF78-7AE719F3A17E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters."
},
{
"lang": "es",
"value": "phpList versi\u00f3n 3.5.3, permite el malabarismo de tipos para la omisi\u00f3n de inicio de sesi\u00f3n porque es usado == en lugar de === para los hashes de contrase\u00f1a, que maneja inapropiadamente los hashes que comienzan con 0e seguidos de caracteres exclusivamente num\u00e9ricos"
}
],
"id": "CVE-2020-23361",
"lastModified": "2024-11-21T05:13:47.070",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-27T16:15:13.123",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/668"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/668"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-04 14:15
Modified
2024-11-21 04:59
Severity ?
Summary
phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpList/phplist3/compare/3.5.2...3.5.3 | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://www.phplist.org/newslist/phplist-3-5-3-release-notes/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpList/phplist3/compare/3.5.2...3.5.3 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.phplist.org/newslist/phplist-3-5-3-release-notes/ | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "885E0BCD-1AA8-4980-92C4-EC99690F1350",
"versionEndExcluding": "3.5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php."
},
{
"lang": "es",
"value": "phpList versiones anteriores a la versi\u00f3n 3.5.3, permiten un ataque de tipo XSS, dando como resultado una ascenso de privilegios, por medio del archivo lists/admin/template.php."
}
],
"id": "CVE-2020-12639",
"lastModified": "2024-11-21T04:59:57.680",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-04T14:15:13.373",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/compare/3.5.2...3.5.3"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-3-release-notes/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/compare/3.5.2...3.5.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-3-release-notes/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-02-19 16:30
Modified
2025-04-09 00:30
Severity ?
Summary
Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as used in Falt4 CMS, Nuke ET, and other products, allows remote attackers to execute arbitrary code by creating a file with PHP sequences preceded by a ZIP header, uploading this file via a FileUpload action with the application/zip content type, and then accessing this file via a direct request to the file in UserFiles/File/, probably a related issue to CVE-2005-4094. NOTE: some of these details are obtained from third party information.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fckeditor:fckeditor:2.0rc2:*:*:*:*:*:*:*",
"matchCriteriaId": "B6F9F4D2-0A3E-49D6-9A58-D9BCDF492E90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fckeditor:fckeditor:2.0rc3:*:*:*:*:*:*:*",
"matchCriteriaId": "CF47BD2F-7AC9-490E-9289-9C259FE4F231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fckeditor:fckeditor:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D2823302-CCF1-438B-B962-6EE49D371A28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fckeditor:fckeditor:2.3beta:*:*:*:*:*:*:*",
"matchCriteriaId": "5F841DE0-94A3-45E5-9DF6-516BDBE13CAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fckeditor:fckeditor:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "68C583B7-5A09-4849-A1E1-600C87854A24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FD0770F6-4C09-4D77-A25A-2D9C59B73795",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1AB6728E-74D6-4939-AA0F-6560678201CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7212A91B-F75D-43CB-90E3-7420C0EA861A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BFECF781-0084-4FBD-BD88-E55C85D9480C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C5492C3F-8833-4F66-B98F-C2B33AD1F14B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.6:*:*:*:*:*:*:*",
"matchCriteriaId": "CB4693DD-6CAE-437E-9D36-C1182F495984",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as used in Falt4 CMS, Nuke ET, and other products, allows remote attackers to execute arbitrary code by creating a file with PHP sequences preceded by a ZIP header, uploading this file via a FileUpload action with the application/zip content type, and then accessing this file via a direct request to the file in UserFiles/File/, probably a related issue to CVE-2005-4094. NOTE: some of these details are obtained from third party information."
},
{
"lang": "es",
"value": "Vulnerabilidad de env\u00edo de archivo no restringido en editor/filemanager/browser/default/connectors/php/connector.php en FCKeditor v2.2 en Falt4 CMS, Nuke ET, y otros productos, lo que permite a atacantes remotos ejecutar codigo a su eleccion mediante la creacion de un fichero con secuencias PHP precedidas de un encabezado ZIP, subiendo este fichero a traves la accion FileUpload, y despues accediendo al fichero a traves de una peticion directa del fichero en UserFiles/File/, probablemente relacionado con CVE-2005-4094. NOTA: Algunos detalles fueron obtenidos de una tercera parte."
}
],
"id": "CVE-2008-6178",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-02-19T16:30:00.530",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33973"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/31812"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2009/0447"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48769"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/8060"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33973"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/31812"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/0447"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48769"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/8060"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-03 16:15
Modified
2024-11-21 05:39
Severity ?
Summary
phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.exploit-db.com/exploits/47989 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/47989 | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1CADAB7-00B2-49FD-B5C5-4D99F614CD25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters."
},
{
"lang": "es",
"value": "phpList versi\u00f3n 3.5.0, permite el malabarismo de tipos (type juggling) para omitir el inicio de sesi\u00f3n de administrador porque se utiliza == en lugar de === para los hashes de contrase\u00f1a, que maneja inapropiadamente los hash que comienzan con 0e seguido de caracteres num\u00e9ricos exclusivamente."
}
],
"id": "CVE-2020-8547",
"lastModified": "2024-11-21T05:39:00.617",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-03T16:15:12.077",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/47989"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/47989"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-10 10:15
Modified
2024-11-21 03:22
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in PHPList 3.2.6. It has been classified as critical. Affected is an unknown function of the file /lists/admin/ of the component Sending Campain. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | http://seclists.org/fulldisclosure/2017/Mar/45 | Exploit, Mailing List, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.98916 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2017/Mar/45 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.98916 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "59A1CBC3-3FC5-418A-BB64-1071EDC4037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in PHPList 3.2.6. It has been classified as critical. Affected is an unknown function of the file /lists/admin/ of the component Sending Campain. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad en PHPList versi\u00f3n 3.2.6. ha sido clasificada como cr\u00edtica. Est\u00e1 afectada una funci\u00f3n desconocida del archivo /lists/admin/ del componente Sending Campain. La manipulaci\u00f3n conlleva a una inyecci\u00f3n sql. Es posible lanzar el ataque de forma remota. La explotaci\u00f3n ha sido revelada al p\u00fablico y puede ser usada. La actualizaci\u00f3n a versi\u00f3n 3.3.1 puede abordar este problema. Es recomendado actualizar el componente afectado"
}
],
"id": "CVE-2017-20030",
"lastModified": "2024-11-21T03:22:29.140",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-10T10:15:08.483",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98916"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98916"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-05-08 20:15
Modified
2025-06-16 18:39
Severity ?
Summary
phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90C24A84-C600-49C0-B0A9-65C69BEA3F2C",
"versionEndExcluding": "3.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized."
},
{
"lang": "es",
"value": "phpList 3.6.3 es vulnerable a ataques de Cross-Site Scripting (XSS) reflejado a trav\u00e9s del endpoint /lists/dl.php. Un atacante puede inyectar c\u00f3digo JavaScript arbitrario manipulando el par\u00e1metro id, que est\u00e1 depurado incorrectamente."
}
],
"id": "CVE-2025-28073",
"lastModified": "2025-06-16T18:39:32.657",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-05-08T20:15:29.537",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mLniumm/CVE-2025-28073"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/phpList/phplist3"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.phplist.org/newslist/phplist-3-6-15-release-notes/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-12 00:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| phplist | phplist | * | |
| phplist | phplist | 2.6.5 | |
| phplist | phplist | 2.7.1 | |
| phplist | phplist | 2.7.2 | |
| phplist | phplist | 2.8.2 | |
| phplist | phplist | 2.8.7 | |
| phplist | phplist | 2.8.12 | |
| phplist | phplist | 2.10.1 | |
| phplist | phplist | 2.10.2 | |
| phplist | phplist | 2.10.3 | |
| phplist | phplist | 2.10.4 | |
| phplist | phplist | 2.10.5 | |
| phplist | phplist | 2.10.7 | |
| phplist | phplist | 2.10.8 | |
| phplist | phplist | 2.10.9 | |
| phplist | phplist | 2.10.10 | |
| phplist | phplist | 2.10.11 | |
| phplist | phplist | 2.10.12 | |
| phplist | phplist | 2.10.13 | |
| phplist | phplist | 2.10.14 | |
| phplist | phplist | 2.10.15 | |
| phplist | phplist | 2.10.16 | |
| phplist | phplist | 2.10.17 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B68EDC00-D515-4707-AE6F-1D767B550A2E",
"versionEndIncluding": "2.10.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3B397B2A-72B7-47CB-8C6E-2316FAFB88CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "692FCE84-9520-48D0-8E5F-9B993C39FF0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "40839A8B-4D5F-480C-8B38-A50DEBF9DB72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0453EF7B-81B5-426C-B858-81B31F878A2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.8.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6523FE2E-A186-47E8-BB14-AA7EDCD14FBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.8.12:*:*:*:*:*:*:*",
"matchCriteriaId": "1ED97CCA-E672-408D-8B1D-1D8E4424AF9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FD0770F6-4C09-4D77-A25A-2D9C59B73795",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1AB6728E-74D6-4939-AA0F-6560678201CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7212A91B-F75D-43CB-90E3-7420C0EA861A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BFECF781-0084-4FBD-BD88-E55C85D9480C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C5492C3F-8833-4F66-B98F-C2B33AD1F14B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DDCD31A1-884A-4381-A31C-211FB0F5AA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.8:*:*:*:*:*:*:*",
"matchCriteriaId": "411A8211-874A-4861-A7BE-F5106E324DBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.9:*:*:*:*:*:*:*",
"matchCriteriaId": "C2AEB89F-A8F3-41A2-8EFF-DF1F121A087A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.10:*:*:*:*:*:*:*",
"matchCriteriaId": "F6245464-B7CC-4C38-A317-25864A8F4F4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.11:*:*:*:*:*:*:*",
"matchCriteriaId": "4A54E43F-4EB6-40DD-A18D-8A063C9CE4D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.12:*:*:*:*:*:*:*",
"matchCriteriaId": "249CAF32-29C8-4371-B4D6-72207C41BA8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.13:*:*:*:*:*:*:*",
"matchCriteriaId": "6BA31A08-C74F-4CDC-A644-68EAC4BA39E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.14:*:*:*:*:*:*:*",
"matchCriteriaId": "31A5082D-90A9-42A2-A08C-CCE8F7F53262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.15:*:*:*:*:*:*:*",
"matchCriteriaId": "531E8F27-4B50-4A8B-A6C4-0B617DAA6224",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.16:*:*:*:*:*:*:*",
"matchCriteriaId": "3B4496FE-646D-48BF-A1F4-F43CE623BE06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.17:*:*:*:*:*:*:*",
"matchCriteriaId": "D46171B6-6125-453B-9838-40BA5093B3C1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en admin/index.php en phpList anterior a v2.10.19 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro unconfirmed para la p\u00e1gina user."
}
],
"id": "CVE-2012-3952",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-08-12T00:55:00.887",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/84482"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/50150"
},
{
"source": "cve@mitre.org",
"url": "http://www.phplist.com/?lid=579"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/54887"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/77526"
},
{
"source": "cve@mitre.org",
"url": "https://www.htbridge.com/advisory/HTB23100"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/84482"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/50150"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.phplist.com/?lid=579"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/54887"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/77526"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.htbridge.com/advisory/HTB23100"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-09-06 17:55
Modified
2025-04-11 00:51
Severity ?
Summary
SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| phplist | phplist | * | |
| phplist | phplist | 2.10.1 | |
| phplist | phplist | 2.10.2 | |
| phplist | phplist | 2.10.3 | |
| phplist | phplist | 2.10.4 | |
| phplist | phplist | 2.10.5 | |
| phplist | phplist | 2.10.7 | |
| phplist | phplist | 2.10.8 | |
| phplist | phplist | 2.10.9 | |
| phplist | phplist | 2.10.10 | |
| phplist | phplist | 2.10.11 | |
| phplist | phplist | 2.10.12 | |
| phplist | phplist | 2.10.13 | |
| phplist | phplist | 2.10.14 | |
| phplist | phplist | 2.10.15 | |
| phplist | phplist | 2.10.16 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "578542B5-BBCA-42E1-840F-1F4DAB176F20",
"versionEndIncluding": "2.10.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FD0770F6-4C09-4D77-A25A-2D9C59B73795",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1AB6728E-74D6-4939-AA0F-6560678201CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7212A91B-F75D-43CB-90E3-7420C0EA861A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BFECF781-0084-4FBD-BD88-E55C85D9480C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C5492C3F-8833-4F66-B98F-C2B33AD1F14B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DDCD31A1-884A-4381-A31C-211FB0F5AA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.8:*:*:*:*:*:*:*",
"matchCriteriaId": "411A8211-874A-4861-A7BE-F5106E324DBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.9:*:*:*:*:*:*:*",
"matchCriteriaId": "C2AEB89F-A8F3-41A2-8EFF-DF1F121A087A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.10:*:*:*:*:*:*:*",
"matchCriteriaId": "F6245464-B7CC-4C38-A317-25864A8F4F4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.11:*:*:*:*:*:*:*",
"matchCriteriaId": "4A54E43F-4EB6-40DD-A18D-8A063C9CE4D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.12:*:*:*:*:*:*:*",
"matchCriteriaId": "249CAF32-29C8-4371-B4D6-72207C41BA8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.13:*:*:*:*:*:*:*",
"matchCriteriaId": "6BA31A08-C74F-4CDC-A644-68EAC4BA39E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.14:*:*:*:*:*:*:*",
"matchCriteriaId": "31A5082D-90A9-42A2-A08C-CCE8F7F53262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.15:*:*:*:*:*:*:*",
"matchCriteriaId": "531E8F27-4B50-4A8B-A6C4-0B617DAA6224",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.16:*:*:*:*:*:*:*",
"matchCriteriaId": "3B4496FE-646D-48BF-A1F4-F43CE623BE06",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en public_html/lists/admin en phpList anterior a v2.10.18, permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro SortBy en una acci\u00f3n de encontrar."
}
],
"id": "CVE-2012-2740",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-09-06T17:55:01.393",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://securitytracker.com/id?1027181"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/18639"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/06/16/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/06/17/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/52657"
},
{
"source": "secalert@redhat.com",
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php"
},
{
"source": "secalert@redhat.com",
"url": "https://mantis.phplist.com/view.php?id=16557"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.phplist.com/?lid=567"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1027181"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/18639"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/06/16/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/06/17/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/52657"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://mantis.phplist.com/view.php?id=16557"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.phplist.com/?lid=567"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-01 21:15
Modified
2024-11-21 05:13
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Edit Values" field under the "Configure Attributes" module.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpList/phplist3/issues/664 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpList/phplist3/issues/664 | Exploit, Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "75BC6689-BA8E-46E8-AF78-7AE719F3A17E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Edit Values\" field under the \"Configure Attributes\" module."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenada en phplist versi\u00f3n 3.5.3, permite a atacantes ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada introducida en el campo \"Edit Values\" bajo el m\u00f3dulo \"Configure Attributes\""
}
],
"id": "CVE-2020-23207",
"lastModified": "2024-11-21T05:13:38.607",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-01T21:15:08.010",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/664"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/664"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-02 18:15
Modified
2024-11-21 05:29
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "Campaign" field under the "Send a campaign" module.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpList/phplist3/issues/676 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpList/phplist3/issues/676 | Exploit, Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "80F89BDF-79BF-4D6F-9542-F6383C37FFBD",
"versionEndIncluding": "3.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the \"Campaign\" field under the \"Send a campaign\" module."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenada en phplist versiones 3.5.4 y por debajo permite a atacantes ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada en el campo \"Campaign\" bajo el m\u00f3dulo \"Send a campaign\""
}
],
"id": "CVE-2020-36398",
"lastModified": "2024-11-21T05:29:24.480",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-02T18:15:08.620",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/676"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/676"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-12 00:55
Modified
2025-04-11 00:51
Severity ?
Summary
SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| phplist | phplist | * | |
| phplist | phplist | 2.6.5 | |
| phplist | phplist | 2.7.1 | |
| phplist | phplist | 2.7.2 | |
| phplist | phplist | 2.8.2 | |
| phplist | phplist | 2.8.7 | |
| phplist | phplist | 2.8.12 | |
| phplist | phplist | 2.10.1 | |
| phplist | phplist | 2.10.2 | |
| phplist | phplist | 2.10.3 | |
| phplist | phplist | 2.10.4 | |
| phplist | phplist | 2.10.5 | |
| phplist | phplist | 2.10.7 | |
| phplist | phplist | 2.10.8 | |
| phplist | phplist | 2.10.9 | |
| phplist | phplist | 2.10.10 | |
| phplist | phplist | 2.10.11 | |
| phplist | phplist | 2.10.12 | |
| phplist | phplist | 2.10.13 | |
| phplist | phplist | 2.10.14 | |
| phplist | phplist | 2.10.15 | |
| phplist | phplist | 2.10.16 | |
| phplist | phplist | 2.10.17 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B68EDC00-D515-4707-AE6F-1D767B550A2E",
"versionEndIncluding": "2.10.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3B397B2A-72B7-47CB-8C6E-2316FAFB88CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "692FCE84-9520-48D0-8E5F-9B993C39FF0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "40839A8B-4D5F-480C-8B38-A50DEBF9DB72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0453EF7B-81B5-426C-B858-81B31F878A2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.8.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6523FE2E-A186-47E8-BB14-AA7EDCD14FBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.8.12:*:*:*:*:*:*:*",
"matchCriteriaId": "1ED97CCA-E672-408D-8B1D-1D8E4424AF9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FD0770F6-4C09-4D77-A25A-2D9C59B73795",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1AB6728E-74D6-4939-AA0F-6560678201CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7212A91B-F75D-43CB-90E3-7420C0EA861A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BFECF781-0084-4FBD-BD88-E55C85D9480C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C5492C3F-8833-4F66-B98F-C2B33AD1F14B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DDCD31A1-884A-4381-A31C-211FB0F5AA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.8:*:*:*:*:*:*:*",
"matchCriteriaId": "411A8211-874A-4861-A7BE-F5106E324DBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.9:*:*:*:*:*:*:*",
"matchCriteriaId": "C2AEB89F-A8F3-41A2-8EFF-DF1F121A087A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.10:*:*:*:*:*:*:*",
"matchCriteriaId": "F6245464-B7CC-4C38-A317-25864A8F4F4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.11:*:*:*:*:*:*:*",
"matchCriteriaId": "4A54E43F-4EB6-40DD-A18D-8A063C9CE4D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.12:*:*:*:*:*:*:*",
"matchCriteriaId": "249CAF32-29C8-4371-B4D6-72207C41BA8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.13:*:*:*:*:*:*:*",
"matchCriteriaId": "6BA31A08-C74F-4CDC-A644-68EAC4BA39E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.14:*:*:*:*:*:*:*",
"matchCriteriaId": "31A5082D-90A9-42A2-A08C-CCE8F7F53262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.15:*:*:*:*:*:*:*",
"matchCriteriaId": "531E8F27-4B50-4A8B-A6C4-0B617DAA6224",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.16:*:*:*:*:*:*:*",
"matchCriteriaId": "3B4496FE-646D-48BF-A1F4-F43CE623BE06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.17:*:*:*:*:*:*:*",
"matchCriteriaId": "D46171B6-6125-453B-9838-40BA5093B3C1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en admin/index.php en phpList anterior a v2.10.19, permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del par\u00e1metro delete para la p\u00e1gina editattributes.\r\n"
}
],
"id": "CVE-2012-3953",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-08-12T00:55:00.933",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://osvdb.org/84483"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.phplist.com/?lid=579"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/77527"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23100"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://osvdb.org/84483"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.phplist.com/?lid=579"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/77527"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23100"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-01 21:15
Modified
2024-11-21 05:13
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Send test" field under the "Start or continue campaign" module.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpList/phplist3/issues/665 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpList/phplist3/issues/665 | Exploit, Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "75BC6689-BA8E-46E8-AF78-7AE719F3A17E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Send test\" field under the \"Start or continue campaign\" module."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenada en phplist versi\u00f3n 3.5.3, permite a atacantes ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada introducida en el campo \"Send test\" en el m\u00f3dulo \"Start or continue campaign\""
}
],
"id": "CVE-2020-23208",
"lastModified": "2024-11-21T05:13:38.737",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-01T21:15:08.040",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/665"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/665"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-01 21:15
Modified
2024-11-21 05:13
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Configure categories" field under the "Categorise Lists" module.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpList/phplist3/issues/669 | Exploit, Issue Tracking, Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpList/phplist3/issues/669 | Exploit, Issue Tracking, Patch, Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "75BC6689-BA8E-46E8-AF78-7AE719F3A17E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Configure categories\" field under the \"Categorise Lists\" module."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenada en phplist versi\u00f3n 3.5.3, permite a atacantes ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada introducida en el campo \"Configure categories\" del m\u00f3dulo \"Categorise Lists\""
}
],
"id": "CVE-2020-23214",
"lastModified": "2024-11-21T05:13:39.007",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-01T21:15:08.100",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/669"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/669"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-09-06 17:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a reconcileusers action.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| phplist | phplist | * | |
| phplist | phplist | 2.10.1 | |
| phplist | phplist | 2.10.2 | |
| phplist | phplist | 2.10.3 | |
| phplist | phplist | 2.10.4 | |
| phplist | phplist | 2.10.5 | |
| phplist | phplist | 2.10.7 | |
| phplist | phplist | 2.10.8 | |
| phplist | phplist | 2.10.9 | |
| phplist | phplist | 2.10.10 | |
| phplist | phplist | 2.10.11 | |
| phplist | phplist | 2.10.12 | |
| phplist | phplist | 2.10.13 | |
| phplist | phplist | 2.10.14 | |
| phplist | phplist | 2.10.15 | |
| phplist | phplist | 2.10.16 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "578542B5-BBCA-42E1-840F-1F4DAB176F20",
"versionEndIncluding": "2.10.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FD0770F6-4C09-4D77-A25A-2D9C59B73795",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1AB6728E-74D6-4939-AA0F-6560678201CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7212A91B-F75D-43CB-90E3-7420C0EA861A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BFECF781-0084-4FBD-BD88-E55C85D9480C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C5492C3F-8833-4F66-B98F-C2B33AD1F14B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DDCD31A1-884A-4381-A31C-211FB0F5AA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.8:*:*:*:*:*:*:*",
"matchCriteriaId": "411A8211-874A-4861-A7BE-F5106E324DBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.9:*:*:*:*:*:*:*",
"matchCriteriaId": "C2AEB89F-A8F3-41A2-8EFF-DF1F121A087A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.10:*:*:*:*:*:*:*",
"matchCriteriaId": "F6245464-B7CC-4C38-A317-25864A8F4F4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.11:*:*:*:*:*:*:*",
"matchCriteriaId": "4A54E43F-4EB6-40DD-A18D-8A063C9CE4D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.12:*:*:*:*:*:*:*",
"matchCriteriaId": "249CAF32-29C8-4371-B4D6-72207C41BA8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.13:*:*:*:*:*:*:*",
"matchCriteriaId": "6BA31A08-C74F-4CDC-A644-68EAC4BA39E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.14:*:*:*:*:*:*:*",
"matchCriteriaId": "31A5082D-90A9-42A2-A08C-CCE8F7F53262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.15:*:*:*:*:*:*:*",
"matchCriteriaId": "531E8F27-4B50-4A8B-A6C4-0B617DAA6224",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.16:*:*:*:*:*:*:*",
"matchCriteriaId": "3B4496FE-646D-48BF-A1F4-F43CE623BE06",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a reconcileusers action."
},
{
"lang": "es",
"value": "Una vulnerabilidad de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en public_html/lists/admin/ en phpList anterior a v2.10.18, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro num en una acci\u00f3n reconcileusers"
}
],
"id": "CVE-2012-2741",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-09-06T17:55:01.440",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://securitytracker.com/id?1027181"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/18639"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/06/16/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/06/17/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/52657"
},
{
"source": "secalert@redhat.com",
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php"
},
{
"source": "secalert@redhat.com",
"url": "https://mantis.phplist.com/view.php?id=16557"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.phplist.com/?lid=567"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1027181"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/18639"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/06/16/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/06/17/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/52657"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://mantis.phplist.com/view.php?id=16557"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.phplist.com/?lid=567"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-01 21:15
Modified
2024-11-21 05:13
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "List Description" field under the "Edit A List" module.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpList/phplist3/issues/666 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpList/phplist3/issues/666 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "75BC6689-BA8E-46E8-AF78-7AE719F3A17E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"List Description\" field under the \"Edit A List\" module."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenada en phplist versi\u00f3n 3.5.3, permite a atacantes ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada introducida en el campo \"List Description\" en el m\u00f3dulo \"Edit A List\""
}
],
"id": "CVE-2020-23209",
"lastModified": "2024-11-21T05:13:38.873",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-01T21:15:08.070",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/666"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/666"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-12 00:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, or (5) remote_prefix parameter to the import4 page; or the (6) id parameter to the bouncerule page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| phplist | phplist | * | |
| phplist | phplist | 2.6.5 | |
| phplist | phplist | 2.7.1 | |
| phplist | phplist | 2.7.2 | |
| phplist | phplist | 2.8.2 | |
| phplist | phplist | 2.8.7 | |
| phplist | phplist | 2.8.12 | |
| phplist | phplist | 2.10.1 | |
| phplist | phplist | 2.10.2 | |
| phplist | phplist | 2.10.3 | |
| phplist | phplist | 2.10.4 | |
| phplist | phplist | 2.10.5 | |
| phplist | phplist | 2.10.7 | |
| phplist | phplist | 2.10.8 | |
| phplist | phplist | 2.10.9 | |
| phplist | phplist | 2.10.10 | |
| phplist | phplist | 2.10.11 | |
| phplist | phplist | 2.10.12 | |
| phplist | phplist | 2.10.13 | |
| phplist | phplist | 2.10.14 | |
| phplist | phplist | 2.10.15 | |
| phplist | phplist | 2.10.16 | |
| phplist | phplist | 2.10.17 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B68EDC00-D515-4707-AE6F-1D767B550A2E",
"versionEndIncluding": "2.10.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3B397B2A-72B7-47CB-8C6E-2316FAFB88CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "692FCE84-9520-48D0-8E5F-9B993C39FF0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "40839A8B-4D5F-480C-8B38-A50DEBF9DB72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0453EF7B-81B5-426C-B858-81B31F878A2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.8.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6523FE2E-A186-47E8-BB14-AA7EDCD14FBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.8.12:*:*:*:*:*:*:*",
"matchCriteriaId": "1ED97CCA-E672-408D-8B1D-1D8E4424AF9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FD0770F6-4C09-4D77-A25A-2D9C59B73795",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1AB6728E-74D6-4939-AA0F-6560678201CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7212A91B-F75D-43CB-90E3-7420C0EA861A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BFECF781-0084-4FBD-BD88-E55C85D9480C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C5492C3F-8833-4F66-B98F-C2B33AD1F14B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DDCD31A1-884A-4381-A31C-211FB0F5AA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.8:*:*:*:*:*:*:*",
"matchCriteriaId": "411A8211-874A-4861-A7BE-F5106E324DBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.9:*:*:*:*:*:*:*",
"matchCriteriaId": "C2AEB89F-A8F3-41A2-8EFF-DF1F121A087A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.10:*:*:*:*:*:*:*",
"matchCriteriaId": "F6245464-B7CC-4C38-A317-25864A8F4F4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.11:*:*:*:*:*:*:*",
"matchCriteriaId": "4A54E43F-4EB6-40DD-A18D-8A063C9CE4D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.12:*:*:*:*:*:*:*",
"matchCriteriaId": "249CAF32-29C8-4371-B4D6-72207C41BA8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.13:*:*:*:*:*:*:*",
"matchCriteriaId": "6BA31A08-C74F-4CDC-A644-68EAC4BA39E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.14:*:*:*:*:*:*:*",
"matchCriteriaId": "31A5082D-90A9-42A2-A08C-CCE8F7F53262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.15:*:*:*:*:*:*:*",
"matchCriteriaId": "531E8F27-4B50-4A8B-A6C4-0B617DAA6224",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.16:*:*:*:*:*:*:*",
"matchCriteriaId": "3B4496FE-646D-48BF-A1F4-F43CE623BE06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:2.10.17:*:*:*:*:*:*:*",
"matchCriteriaId": "D46171B6-6125-453B-9838-40BA5093B3C1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, or (5) remote_prefix parameter to the import4 page; or the (6) id parameter to the bouncerule page."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en lists/admin/index.php en phpList anterior a v2.10.19, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, o (5) remote_prefix para la p\u00e1gina import4; o (6) par\u00e1metro id para la p\u00e1gina bouncerule."
}
],
"id": "CVE-2012-4247",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-08-12T00:55:01.183",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.phplist.com/?lid=579"
},
{
"source": "cve@mitre.org",
"url": "https://www.httpcs.com/advisories"
},
{
"source": "cve@mitre.org",
"url": "https://www.httpcs.com/advisory/httpcs1"
},
{
"source": "cve@mitre.org",
"url": "https://www.httpcs.com/advisory/httpcs2"
},
{
"source": "cve@mitre.org",
"url": "https://www.httpcs.com/advisory/httpcs3"
},
{
"source": "cve@mitre.org",
"url": "https://www.httpcs.com/advisory/httpcs4"
},
{
"source": "cve@mitre.org",
"url": "https://www.httpcs.com/advisory/httpcs6"
},
{
"source": "cve@mitre.org",
"url": "https://www.httpcs.com/advisory/httpcs7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.phplist.com/?lid=579"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.httpcs.com/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.httpcs.com/advisory/httpcs1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.httpcs.com/advisory/httpcs2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.httpcs.com/advisory/httpcs3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.httpcs.com/advisory/httpcs4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.httpcs.com/advisory/httpcs6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.httpcs.com/advisory/httpcs7"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-10 10:15
Modified
2024-11-21 03:22
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability classified as problematic has been found in PHPList 3.2.6. This affects an unknown part of the file /lists/admin/. The manipulation of the argument page with the input send\'\";><script>alert(8)</script> leads to cross site scripting (Reflected). It is possible to initiate the attack remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | http://seclists.org/fulldisclosure/2017/Mar/46 | Exploit, Mailing List, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.98919 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2017/Mar/46 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.98919 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "59A1CBC3-3FC5-418A-BB64-1071EDC4037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic has been found in PHPList 3.2.6. This affects an unknown part of the file /lists/admin/. The manipulation of the argument page with the input send\\\u0027\\\";\u003e\u003cscript\u003ealert(8)\u003c/script\u003e leads to cross site scripting (Reflected). It is possible to initiate the attack remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad clasificada como problem\u00e1tica en PHPList versi\u00f3n 3.2.6. Esto afecta a una parte desconocida del archivo /lists/admin/. La manipulaci\u00f3n de la p\u00e1gina de argumentos con la entrada send\\\u0027\\\";)(script)alert(8)(/script) conlleva a un ataque de tipo cross site scripting (Reflejado). Es posible iniciar el ataque de forma remota. La actualizaci\u00f3n a versi\u00f3n 3.3.1 puede abordar este problema. Es recomendado actualizar el componente afectado"
}
],
"id": "CVE-2017-20033",
"lastModified": "2024-11-21T03:22:29.507",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-10T10:15:08.703",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98919"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98919"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-01 21:15
Modified
2024-11-21 05:13
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add a list" field under the "Import Emails" module.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpList/phplist3/issues/672 | Exploit, Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://www.phplist.org/newslist/phplist-3-5-4-release-notes/ | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpList/phplist3/issues/672 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.phplist.org/newslist/phplist-3-5-4-release-notes/ | Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "75BC6689-BA8E-46E8-AF78-7AE719F3A17E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Add a list\" field under the \"Import Emails\" module."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenada en phplist versi\u00f3n 3.5.3, permite a atacantes ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada introducida en el campo \"Add a list\" bajo el m\u00f3dulo \"Import Emails\""
}
],
"id": "CVE-2020-23217",
"lastModified": "2024-11-21T05:13:39.140",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-01T21:15:08.133",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/672"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-4-release-notes/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/672"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-4-release-notes/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-10 10:15
Modified
2024-11-21 03:22
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in PHPList 3.2.6 and classified as critical. This issue affects some unknown processing of the file /lists/index.php of the component Edit Subscription. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | http://seclists.org/fulldisclosure/2017/Mar/45 | Exploit, Mailing List, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.98915 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2017/Mar/45 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.98915 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "59A1CBC3-3FC5-418A-BB64-1071EDC4037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in PHPList 3.2.6 and classified as critical. This issue affects some unknown processing of the file /lists/index.php of the component Edit Subscription. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad en PHPList versi\u00f3n 3.2.6 y ha sido clasificada como cr\u00edtica. Este problema afecta a un procesamiento desconocido del archivo /lists/index.php del componente Edit Subscription. La manipulaci\u00f3n conlleva a una inyecci\u00f3n sql. El ataque puede ser iniciado remotamente. La explotaci\u00f3n ha sido revelada al p\u00fablico y puede ser usada. La actualizaci\u00f3n a versi\u00f3n 3.3.1 puede abordar este problema. Es recomendado actualizar el componente afectado"
}
],
"id": "CVE-2017-20029",
"lastModified": "2024-11-21T03:22:29.020",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-10T10:15:08.287",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98915"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98915"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-10 10:15
Modified
2024-11-21 03:22
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability classified as problematic was found in PHPList 3.2.6. This vulnerability affects unknown code of the file /lists/admin/ of the component List Name. The manipulation leads to cross site scripting (Persistent). The attack can be initiated remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | http://seclists.org/fulldisclosure/2017/Mar/46 | Exploit, Mailing List, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.98920 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2017/Mar/46 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.98920 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "59A1CBC3-3FC5-418A-BB64-1071EDC4037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic was found in PHPList 3.2.6. This vulnerability affects unknown code of the file /lists/admin/ of the component List Name. The manipulation leads to cross site scripting (Persistent). The attack can be initiated remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad clasificada como problem\u00e1tica en PHPList 3.2.6. Esta vulnerabilidad afecta a c\u00f3digo desconocido del archivo /lists/admin/ del componente Nombre de la Lista. La manipulaci\u00f3n conduce a cross site scripting (Persistente). El ataque puede ser iniciado remotamente. La actualizaci\u00f3n a la versi\u00f3n 3.3.1 puede solucionar este problema. Se recomienda actualizar el componente afectado"
}
],
"id": "CVE-2017-20034",
"lastModified": "2024-11-21T03:22:29.627",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-10T10:15:08.767",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98920"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98920"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-02 18:15
Modified
2024-11-21 05:13
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload in the "admin" parameter under the "Manage administrators" module.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpList/phplist3/issues/671 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpList/phplist3/issues/671 | Exploit, Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "80F89BDF-79BF-4D6F-9542-F6383C37FFBD",
"versionEndIncluding": "3.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload in the \"admin\" parameter under the \"Manage administrators\" module."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenada en phplist versiones 3.5.4 y por debajo permite a atacantes autenticados ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada en el par\u00e1metro \"admin\" en el m\u00f3dulo \"Manage administrators\""
}
],
"id": "CVE-2020-23192",
"lastModified": "2024-11-21T05:13:38.197",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-02T18:15:08.407",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/671"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/671"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-02 18:15
Modified
2024-11-21 05:29
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "rule1" parameter under the "Bounce Rules" module.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpList/phplist3/issues/675 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpList/phplist3/issues/675 | Exploit, Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "80F89BDF-79BF-4D6F-9542-F6383C37FFBD",
"versionEndIncluding": "3.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the \"rule1\" parameter under the \"Bounce Rules\" module."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenada en phplist versiones 3.5.4 y por debajo permite a atacantes ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada en el par\u00e1metro \"rule1\" bajo el m\u00f3dulo \"Bounce Rules\""
}
],
"id": "CVE-2020-36399",
"lastModified": "2024-11-21T05:29:24.657",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-02T18:15:08.663",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/675"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/675"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-08 20:15
Modified
2024-11-21 05:04
Severity ?
Summary
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377 | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://www.phplist.org/newslist/phplist-3-5-5-release-notes/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.phplist.org/newslist/phplist-3-5-5-release-notes/ | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "80F89BDF-79BF-4D6F-9542-F6383C37FFBD",
"versionEndIncluding": "3.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en phpList versiones hasta 3.5.4. Una vulnerabilidad de Inyecci\u00f3n SQL basada en errores por medio de la secci\u00f3n Import Administrators"
}
],
"id": "CVE-2020-15072",
"lastModified": "2024-11-21T05:04:45.087",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-08T20:15:10.273",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-5-release-notes/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-5-release-notes/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-06 20:15
Modified
2024-11-21 05:13
Severity ?
Summary
Cross Site Scripting (XSS) vulnerability in phpList 3.5.3 via the login name field in Manage Administrators when adding a new admin.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpList/phplist3/issues/660 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpList/phplist3/issues/660 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2530A416-DECC-4380-9797-C61706AFAACB",
"versionEndIncluding": "3.5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) vulnerability in phpList 3.5.3 via the login name field in Manage Administrators when adding a new admin."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross Site Scripting (XSS) en phpList versi\u00f3n 3.5.3, por medio del campo login name en Manage Administrators al a\u00f1adir un nuevo administrador"
}
],
"id": "CVE-2020-22251",
"lastModified": "2024-11-21T05:13:12.930",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-06T20:15:07.993",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/660"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/660"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-26 18:16
Modified
2024-11-21 06:21
Severity ?
Summary
phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://wehackmx.com/security-research/WeHackMX-2021-001/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wehackmx.com/security-research/WeHackMX-2021-001/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9D666866-896A-4431-AE31-FD6798369C3F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports."
},
{
"lang": "es",
"value": "phpList versi\u00f3n 3.6.0, permite una inyecci\u00f3n CSV, relacionada con el par\u00e1metro email, y las exportaciones de /lists/admin/"
}
],
"id": "CVE-2021-3188",
"lastModified": "2024-11-21T06:21:06.280",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-26T18:16:28.210",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wehackmx.com/security-research/WeHackMX-2021-001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wehackmx.com/security-research/WeHackMX-2021-001/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1236"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-08 20:15
Modified
2024-11-21 05:04
Severity ?
Summary
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377 | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://www.phplist.org/newslist/phplist-3-5-5-release-notes/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.phplist.org/newslist/phplist-3-5-5-release-notes/ | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "80F89BDF-79BF-4D6F-9542-F6383C37FFBD",
"versionEndIncluding": "3.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en phpList versiones hasta 3.5.4. Se produce una vulnerabilidad de tipo XSS en la secci\u00f3n Import Administrators mediante la carga de un documento de texto editado. Esto tambi\u00e9n afecta a la secci\u00f3n Subscriber Lists"
}
],
"id": "CVE-2020-15073",
"lastModified": "2024-11-21T05:04:45.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-08T20:15:10.350",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-5-release-notes/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-5-release-notes/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-04 15:15
Modified
2024-11-21 05:01
Severity ?
Summary
phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.phplist.org/newslist/phplist-3-5-4-release-notes/ | Release Notes | |
| cve@mitre.org | https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-004 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.phplist.org/newslist/phplist-3-5-4-release-notes/ | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-004 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2C26B054-18EE-4A4D-9330-AD34426E85A4",
"versionEndExcluding": "3.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php."
},
{
"lang": "es",
"value": "phpList versiones anteriores a 3.5.4, permite un ataque de tipo XSS por medio de los archivos /lists/admin/user.php y /lists/admin/users.php"
}
],
"id": "CVE-2020-13827",
"lastModified": "2024-11-21T05:01:56.887",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-04T15:15:13.637",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-4-release-notes/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-004"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.phplist.org/newslist/phplist-3-5-4-release-notes/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-004"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-05-05 16:07
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "09A228B3-A31C-4B1F-942F-85B61CD9F872",
"versionEndIncluding": "3.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "17578F73-9CE7-49B4-8B4C-86B3865E7551",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4EFEAFB1-1174-4264-8CB7-A931C39058F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9DD81163-211E-475F-AD85-4CB79F17E63C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "55429A2B-3D25-4BFA-8001-5D15686BEB2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phplist:phplist:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8967A968-DC97-4DD5-BDDD-1AFCD97168CC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/."
},
{
"lang": "es",
"value": "Vulnerabilidad de CSRF en el editor de p\u00e1gina de suscripci\u00f3n en phpList anterior a 3.0.6 permite a atacantes remotos secuestrar la autenticaci\u00f3n de administradores a trav\u00e9s de una solicitud hacia admin/."
}
],
"id": "CVE-2014-2916",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-05-05T16:07:06.283",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://labs.davidsopas.com/2014/04/phplist-csrf-on-subscription-page.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/57893"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.phplist.com/?lid=638"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1030191"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://labs.davidsopas.com/2014/04/phplist-csrf-on-subscription-page.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/57893"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.phplist.com/?lid=638"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1030191"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-25 06:15
Modified
2024-11-21 05:27
Severity ?
Summary
phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://sourceforge.net/projects/phplist/files/phplist/ | Third Party Advisory | |
| cve@mitre.org | https://tufangungor.github.io/exploit/2020/12/15/phplist-3.5.9-sql-injection.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://sourceforge.net/projects/phplist/files/phplist/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tufangungor.github.io/exploit/2020/12/15/phplist-3.5.9-sql-injection.html | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2E773473-855B-4AC5-A19A-7E9D141B2222",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the \"Config - Import Administrators\" page."
},
{
"lang": "es",
"value": "phpList versi\u00f3n 3.5.9, permite una inyecci\u00f3n de SQL por parte de los administradores que proporcionan una cuarta l\u00ednea dise\u00f1ada de un archivo hacia la p\u00e1gina \"Config - Import Administrators\""
}
],
"id": "CVE-2020-35708",
"lastModified": "2024-11-21T05:27:53.337",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-25T06:15:14.330",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://sourceforge.net/projects/phplist/files/phplist/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://tufangungor.github.io/exploit/2020/12/15/phplist-3.5.9-sql-injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://sourceforge.net/projects/phplist/files/phplist/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://tufangungor.github.io/exploit/2020/12/15/phplist-3.5.9-sql-injection.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-08-18 15:15
Modified
2024-11-21 07:53
Severity ?
Summary
An issue was discovered in phpList before 3.6.14. Due to an access error, it was possible to manipulate and edit data of the system's super admin, allowing one to perform an account takeover of the user with super-admin permission. Specifically, for a request with updatepassword=1, a modified request (manipulating both the ID parameter and the associated username) can bypass the intended email confirmation requirement. For example, the attacker can start from an updatepassword=1 request with their own ID number, and change the ID number to 1 (representing the super admin account) and change the username to admin2. In the first step, the attacker changes the super admin's email address to one under the attacker's control. In the second step, the attacker performs a password reset for the super admin account. The new password allows login as the super admin, i.e., a successful account takeover.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.6.12:*:*:*:*:*:*:*",
"matchCriteriaId": "1C39BCF7-4D92-48E6-8AB6-3A03422C2A73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in phpList before 3.6.14. Due to an access error, it was possible to manipulate and edit data of the system\u0027s super admin, allowing one to perform an account takeover of the user with super-admin permission. Specifically, for a request with updatepassword=1, a modified request (manipulating both the ID parameter and the associated username) can bypass the intended email confirmation requirement. For example, the attacker can start from an updatepassword=1 request with their own ID number, and change the ID number to 1 (representing the super admin account) and change the username to admin2. In the first step, the attacker changes the super admin\u0027s email address to one under the attacker\u0027s control. In the second step, the attacker performs a password reset for the super admin account. The new password allows login as the super admin, i.e., a successful account takeover."
},
{
"lang": "es",
"value": "Se ha descubierto un problema en phpList v3.6.12. Debido a un error de acceso, era posible manipular y editar datos del superadministrador del sistema, lo que permit\u00eda realizar una toma de control de la cuneta del usuario con permiso de superadministrador."
}
],
"id": "CVE-2023-27576",
"lastModified": "2024-11-21T07:53:10.920",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-18T15:15:09.723",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://cupc4k3.lol/cve-2023-27576-hacking-phplist-how-i-gained-super-admin-access-44c7c90d82da"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/phpList/phplist3/pull/986"
},
{
"source": "cve@mitre.org",
"url": "https://www.phplist.org/newslist/phplist-3-6-14-release-notes/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://cupc4k3.lol/cve-2023-27576-hacking-phplist-how-i-gained-super-admin-access-44c7c90d82da"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/phpList/phplist3/pull/986"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.phplist.org/newslist/phplist-3-6-14-release-notes/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-10 10:15
Modified
2024-11-21 03:22
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability, which was classified as problematic, was found in PHPList 3.2.6. Affected is an unknown function of the file /lists/admin/ of the component Bounce Rule. The manipulation leads to cross site scripting (Persistent). It is possible to launch the attack remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | http://seclists.org/fulldisclosure/2017/Mar/46 | Exploit, Mailing List, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.98922 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2017/Mar/46 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.98922 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "59A1CBC3-3FC5-418A-BB64-1071EDC4037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, was found in PHPList 3.2.6. Affected is an unknown function of the file /lists/admin/ of the component Bounce Rule. The manipulation leads to cross site scripting (Persistent). It is possible to launch the attack remotely. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad, clasificada como problem\u00e1tica, en PHPList versi\u00f3n 3.2.6. Afectada es una funci\u00f3n desconocida del archivo /lists/admin/ del componente Bounce Rule. La manipulaci\u00f3n conlleva a un ataque de tipo cross site scripting (Persistente). Es posible lanzar el ataque de forma remota. La actualizaci\u00f3n a versi\u00f3n 3.3.1 puede abordar este problema. Es recomendado actualizar el componente afectado"
}
],
"id": "CVE-2017-20036",
"lastModified": "2024-11-21T03:22:29.863",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-10T10:15:08.887",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98922"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/46"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98922"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-02 18:15
Modified
2024-11-21 05:13
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in the "Import emails" module in phplist 3.5.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpList/phplist3/issues/667 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpList/phplist3/issues/667 | Exploit, Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FFDAE283-4668-4471-ADA0-2A3EA4B0B138",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in the \"Import emails\" module in phplist 3.5.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenada en el m\u00f3dulo \"Import emails\" en phplist versiones 3.5.4, permite a atacantes autenticados ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada"
}
],
"id": "CVE-2020-23190",
"lastModified": "2024-11-21T05:13:38.063",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-02T18:15:08.367",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/667"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/667"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-06 20:15
Modified
2024-11-21 05:13
Severity ?
Summary
Remote Code Execution vulnerability in phplist 3.5.1. The application does not check any file extensions stored in the plugin zip file, Uploading a malicious plugin which contains the php files with extensions like PHP,phtml,php7 will be copied to the plugins directory which would lead to the remote code execution
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://drive.google.com/open?id=1znDU4fDKA_seg16mJLLtgaaFfvmf-mS6 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://drive.google.com/open?id=1znDU4fDKA_seg16mJLLtgaaFfvmf-mS6 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A324C775-E1C4-4549-B001-2CED53CAC54F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Remote Code Execution vulnerability in phplist 3.5.1. The application does not check any file extensions stored in the plugin zip file, Uploading a malicious plugin which contains the php files with extensions like PHP,phtml,php7 will be copied to the plugins directory which would lead to the remote code execution"
},
{
"lang": "es",
"value": "Una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo remota en phplist versi\u00f3n 3.5.1. La aplicaci\u00f3n no comprueba las extensiones de archivo almacenadas en el archivo zip del plugin, la carga de un plugin malicioso que contenga archivos php con extensiones como PHP, phtml, php7 ser\u00e1n copiadas en el directorio de plugins lo que conllevar\u00eda a una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2020-22249",
"lastModified": "2024-11-21T05:13:12.780",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-06T20:15:07.953",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://drive.google.com/open?id=1znDU4fDKA_seg16mJLLtgaaFfvmf-mS6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://drive.google.com/open?id=1znDU4fDKA_seg16mJLLtgaaFfvmf-mS6"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-10 10:15
Modified
2024-11-21 03:22
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Summary
A vulnerability was found in PHPList 3.2.6. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument sortby with the input password leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | http://seclists.org/fulldisclosure/2017/Mar/45 | Exploit, Mailing List, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.98917 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2017/Mar/45 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.98917 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "59A1CBC3-3FC5-418A-BB64-1071EDC4037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in PHPList 3.2.6. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument sortby with the input password leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad en PHPList versi\u00f3n 3.2.6. Se ha declarado como problem\u00e1tica. Esta vulnerabilidad afecta a una funcionalidad desconocida. La manipulaci\u00f3n del argumento sortby con la contrase\u00f1a de entrada conlleva a una revelaci\u00f3n de informaci\u00f3n. El ataque puede ser lanzado remotamente. La explotaci\u00f3n ha sido revelada al p\u00fablico y puede ser usada. La actualizaci\u00f3n a versi\u00f3n 3.3.1 puede abordar este problema. Es recomendado actualizar el componente afectado"
}
],
"id": "CVE-2017-20031",
"lastModified": "2024-11-21T03:22:29.260",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-10T10:15:08.557",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98917"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Mar/45"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.98917"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-02 18:15
Modified
2024-11-21 05:13
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in the "Import Subscribers" feature in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpList/phplist3/issues/678 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpList/phplist3/issues/678 | Exploit, Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"matchCriteriaId": "80F89BDF-79BF-4D6F-9542-F6383C37FFBD",
"versionEndIncluding": "3.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in the \"Import Subscribers\" feature in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenada en la funcionalidad \"Import Subscribers\" de phplist versiones 3.5.4 y por debajo permite a atacantes autenticados ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada"
}
],
"id": "CVE-2020-23194",
"lastModified": "2024-11-21T05:13:38.337",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-02T18:15:08.450",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/678"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpList/phplist3/issues/678"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}