Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): phplist
There are 36 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2020-15073

An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.

Published: July 08, 2020; 4:15:10 PM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2020-15072

An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.

Published: July 08, 2020; 4:15:10 PM -0400
V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2020-13827

phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.

Published: June 04, 2020; 11:15:13 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-12639

phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php.

Published: May 04, 2020; 10:15:13 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-8547

phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.

Published: February 03, 2020; 11:15:12 AM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2015-3345

SQL injection vulnerability in the PHPlist Integration Module before 6.x-1.7 for Drupal allows remote administrators to execute arbitrary SQL commands via unspecified vectors, related to the "phpList database."

Published: April 21, 2015; 12:59:05 PM -0400
V3.x:(not available)
V2.0: 6.5 MEDIUM
CVE-2014-2916

Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/.

Published: May 05, 2014; 12:07:06 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2012-5228

Cross-site scripting (XSS) vulnerability in admin/index.php in phplist 2.10.9, 2.10.17, and possibly other versions before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the testtarget parameter. NOTE: some of these details are obtained from third party information.

Published: October 01, 2012; 4:55:04 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-2741

Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a reconcileusers action.

Published: September 06, 2012; 1:55:01 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-2740

SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action.

Published: September 06, 2012; 1:55:01 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2012-4247

Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, or (5) remote_prefix parameter to the import4 page; or the (6) id parameter to the bouncerule page.

Published: August 11, 2012; 8:55:01 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-4246

Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the (2) footer, (3) status, or (4) testtarget parameter in the send page.

Published: August 11, 2012; 8:55:01 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-3953

SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page.

Published: August 11, 2012; 8:55:00 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2012-3952

Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page.

Published: August 11, 2012; 8:55:00 PM -0400
V3.x:(not available)
V2.0: 2.6 LOW
CVE-2011-1682

Multiple cross-site request forgery (CSRF) vulnerabilities in phpList 2.10.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create a list or (2) insert cross-site scripting (XSS) sequences. NOTE: this issue exists because of an incomplete fix for CVE-2011-0748. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: April 13, 2011; 10:55:01 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2011-0748

Multiple cross-site request forgery (CSRF) vulnerabilities in phpList before 2.10.13 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) edit administrator accounts.

Published: April 13, 2011; 10:55:01 AM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2009-4066

Multiple cross-site request forgery (CSRF) vulnerabilities in the "My Account" feature in PHPList Integration module 5 before 5.x-1.2 and 6 before 6.x-1.1 for Drupal allow remote attackers to hijack the authentication of arbitrary users via vectors related to (1) subscribing or (2) unsubscribing to mailing lists.

Published: November 23, 2009; 9:30:00 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2009-0422

Dynamic variable evaluation vulnerability in lists/admin.php in phpList 2.10.8 and earlier, when register_globals is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the _SERVER[ConfigFile] parameter to admin/index.php.

Published: February 04, 2009; 7:30:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2008-5887

phplist before 2.10.8 allows remote attackers to include files via unknown vectors, related to a "local file include vulnerability."

Published: January 12, 2009; 3:00:02 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2007-5167

PHP remote file inclusion vulnerability in .systeme/fonctions.php in phpLister 0.5-pre2 allows remote attackers to execute arbitrary PHP code via a URL in the nom_rep_systeme parameter.

Published: October 01, 2007; 1:17:00 AM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM