Summary
| Detail | |||
|---|---|---|---|
| Vendor | Phplist | First view | 2014-05-05 |
| Product | Phplist | Last view | 2025-05-08 |
| Version | 3.0.2 | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:phplist:phplist | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 0 | 2025-05-08 | CVE-2025-28074 | phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript. |
| 0 | 2025-05-08 | CVE-2025-28073 | phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized. |
| 4.8 | 2021-07-06 | CVE-2020-22251 | Cross Site Scripting (XSS) vulnerability in phpList 3.5.3 via the login name field in Manage Administrators when adding a new admin. |
| 5.4 | 2021-07-02 | CVE-2020-36399 | A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "rule1" parameter under the "Bounce Rules" module. |
| 5.4 | 2021-07-02 | CVE-2020-36398 | A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "Campaign" field under the "Send a campaign" module. |
| 5.4 | 2021-07-02 | CVE-2020-23194 | A stored cross site scripting (XSS) vulnerability in the "Import Subscribers" feature in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| 5.4 | 2021-07-02 | CVE-2020-23192 | A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload in the "admin" parameter under the "Manage administrators" module. |
| 5.4 | 2020-07-08 | CVE-2020-15073 | An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section. |
| 8.8 | 2020-07-08 | CVE-2020-15072 | An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section. |
| 6.1 | 2020-06-04 | CVE-2020-13827 | phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php. |
| 6.1 | 2020-05-04 | CVE-2020-12639 | phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php. |
| 6.8 | 2014-05-05 | CVE-2014-2916 | Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 80% (8) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
| 10% (1) | CWE-352 | Cross-Site Request Forgery (CSRF) |
| 10% (1) | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('... |
