National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): phplist
There are 32 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2020-8547

phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.

Published: February 03, 2020; 11:15:12 AM -05:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2015-3345

SQL injection vulnerability in the PHPlist Integration Module before 6.x-1.7 for Drupal allows remote administrators to execute arbitrary SQL commands via unspecified vectors, related to the "phpList database."

Published: April 21, 2015; 12:59:05 PM -04:00
    V2: 6.5 MEDIUM
CVE-2014-2916

Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/.

Published: May 05, 2014; 12:07:06 PM -04:00
    V2: 6.8 MEDIUM
CVE-2012-5228

Cross-site scripting (XSS) vulnerability in admin/index.php in phplist 2.10.9, 2.10.17, and possibly other versions before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the testtarget parameter. NOTE: some of these details are obtained from third party information.

Published: October 01, 2012; 04:55:04 PM -04:00
    V2: 4.3 MEDIUM
CVE-2012-2741

Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a reconcileusers action.

Published: September 06, 2012; 01:55:01 PM -04:00
    V2: 4.3 MEDIUM
CVE-2012-2740

SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action.

Published: September 06, 2012; 01:55:01 PM -04:00
    V2: 7.5 HIGH
CVE-2012-4247

Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, or (5) remote_prefix parameter to the import4 page; or the (6) id parameter to the bouncerule page.

Published: August 11, 2012; 08:55:01 PM -04:00
    V2: 4.3 MEDIUM
CVE-2012-4246

Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the (2) footer, (3) status, or (4) testtarget parameter in the send page.

Published: August 11, 2012; 08:55:01 PM -04:00
    V2: 4.3 MEDIUM
CVE-2012-3953

SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page.

Published: August 11, 2012; 08:55:00 PM -04:00
    V2: 7.5 HIGH
CVE-2012-3952

Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page.

Published: August 11, 2012; 08:55:00 PM -04:00
    V2: 2.6 LOW
CVE-2011-1682

Multiple cross-site request forgery (CSRF) vulnerabilities in phpList 2.10.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create a list or (2) insert cross-site scripting (XSS) sequences. NOTE: this issue exists because of an incomplete fix for CVE-2011-0748. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: April 13, 2011; 10:55:01 AM -04:00
    V2: 4.3 MEDIUM
CVE-2011-0748

Multiple cross-site request forgery (CSRF) vulnerabilities in phpList before 2.10.13 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) edit administrator accounts.

Published: April 13, 2011; 10:55:01 AM -04:00
    V2: 6.8 MEDIUM
CVE-2009-4066

Multiple cross-site request forgery (CSRF) vulnerabilities in the "My Account" feature in PHPList Integration module 5 before 5.x-1.2 and 6 before 6.x-1.1 for Drupal allow remote attackers to hijack the authentication of arbitrary users via vectors related to (1) subscribing or (2) unsubscribing to mailing lists.

Published: November 23, 2009; 09:30:00 PM -05:00
    V2: 6.8 MEDIUM
CVE-2009-0422

Dynamic variable evaluation vulnerability in lists/admin.php in phpList 2.10.8 and earlier, when register_globals is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the _SERVER[ConfigFile] parameter to admin/index.php.

Published: February 04, 2009; 07:30:00 PM -05:00
    V2: 7.5 HIGH
CVE-2008-5887

phplist before 2.10.8 allows remote attackers to include files via unknown vectors, related to a "local file include vulnerability."

Published: January 12, 2009; 03:00:02 PM -05:00
    V2: 5.0 MEDIUM
CVE-2007-5167

PHP remote file inclusion vulnerability in .systeme/fonctions.php in phpLister 0.5-pre2 allows remote attackers to execute arbitrary PHP code via a URL in the nom_rep_systeme parameter.

Published: October 01, 2007; 01:17:00 AM -04:00
    V2: 6.8 MEDIUM
CVE-2007-4738

Multiple PHP remote file inclusion vulnerabilities in SpeedTech PHP Library (STPHPLibrary) 0.8.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) db_conf or (2) ADODB_DIR parameter to utils/stphpimage_show.php; or a URL in the STPHPLIB_DIR parameter to (3) stphpbutton.php, (4) stphpcheckbox.php, (5) stphpcheckboxwithcaption.php, (6) stphpcheckgroup.php, (7) stphpcomponent.php, (8) stphpcontrolwithcaption.php, (9) stphpedit.php, (10) stphpeditwithcaption.php, (11) stphphr.php, (12) stphpimage.php, (13) stphpimagewithcaption.php, (14) stphplabel.php, (15) stphplistbox.php, (16) stphplistboxwithcaption.php, (17) stphplocale.php, (18) stphppanel.php, (19) stphpradiobutton.php, (20) stphpradiobuttonwithcaption.php, (21) stphpradiogroup.php, (22) stphprichbutton.php, (23) stphpspacer.php, (24) stphptable.php, (25) stphptablecell.php, (26) stphptablerow.php, (27) stphptabpanel.php, (28) stphptabtitle.php, (29) stphptextarea.php, (30) stphptextareawithcaption.php, (31) stphptoolbar.php, (32) stphpwindow.php, (33) stphpxmldoc.php, or (34) stphpxmlelement.php, a different set of vectors than CVE-2007-4737. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: September 06, 2007; 03:17:00 PM -04:00
    V2: 7.5 HIGH
CVE-2006-5524

Cross-site scripting (XSS) vulnerability in index.php in phplist 2.10.2 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: This issue might overlap CVE-2006-5321.

Published: October 26, 2006; 12:07:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2006-5321

Multiple cross-site scripting (XSS) vulnerabilities in phplist before 2.10.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: October 17, 2006; 01:07:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2006-5322

Multiple SQL injection vulnerabilities in phplist before 2.10.3 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

Published: October 17, 2006; 01:07:00 PM -04:00
    V2: 7.5 HIGH