Phplist

phplist

Vendor: Phplist • 40 CVEs

CVEs (40)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-23209 1Phplist 1Phplist Nov 21, 2024 Jul 1, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "List Description" field under the "Edit A List" module.
CVE-2020-23208 1Phplist 1Phplist Nov 21, 2024 Jul 1, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Send test" field under the "Start or continue campaign"...Show more A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Send test" field under the "Start or continue campaign" module.Show less
CVE-2020-23207 1Phplist 1Phplist Nov 21, 2024 Jul 1, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Edit Values" field under the "Configure Attributes" mod...Show more A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Edit Values" field under the "Configure Attributes" module.Show less
CVE-2020-23361 1Phplist 1Phplist Nov 21, 2024 Jan 27, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
CVE-2021-3188 1Phplist 1Phplist Nov 21, 2024 Jan 26, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.
CVE-2020-35708 1Phplist 1Phplist Nov 21, 2024 Dec 25, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page.
CVE-2020-15073 1Phplist 1Phplist Nov 21, 2024 Jul 8, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
CVE-2020-15072 1Phplist 1Phplist Nov 21, 2024 Jul 8, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
CVE-2020-13827 1Phplist 1Phplist Nov 21, 2024 Jun 4, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.
CVE-2020-12639 1Phplist 1Phplist Nov 21, 2024 May 4, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php.
CVE-2020-8547 1Phplist 1Phplist Nov 21, 2024 Feb 3, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
CVE-2014-2916 1Phplist 1Phplist May 6, 2026 May 5, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/.
CVE-2012-2741 1Phplist 1Phplist Apr 29, 2026 Sep 6, 2012 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a reconcileusers action.
CVE-2012-2740 1Phplist 1Phplist Apr 29, 2026 Sep 6, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action.
CVE-2012-4247 1Phplist 1Phplist Apr 29, 2026 Aug 12, 2012 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2) remote_database, (3) remot...Show more Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, or (5) remote_prefix parameter to the import4 page; or the (6) id parameter to the bouncerule page.Show less
CVE-2012-4246 1Phplist 1Phplist Apr 29, 2026 Aug 12, 2012 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the (2) footer, (3) stat...Show more Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the (2) footer, (3) status, or (4) testtarget parameter in the send page.Show less
CVE-2012-3953 1Phplist 1Phplist Apr 29, 2026 Aug 12, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page.
CVE-2012-3952 1Phplist 1Phplist Apr 29, 2026 Aug 12, 2012 N/A· v4 N/A· v3 2.6 LOW· v2 Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page.
CVE-2008-6178 2Fckeditor Phplist 2Fckeditor Phplist Apr 23, 2026 Feb 19, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as used in Falt4 CMS, Nuke ET, and other products, allows remote attackers to execute arbitrary...Show more Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as used in Falt4 CMS, Nuke ET, and other products, allows remote attackers to execute arbitrary code by creating a file with PHP sequences preceded by a ZIP header, uploading this file via a FileUpload action with the application/zip content type, and then accessing this file via a direct request to the file in UserFiles/File/, probably a related issue to CVE-2005-4094. NOTE: some of these details are obtained from third party information.Show less
CVE-2006-5524 1Phplist 1Phplist Apr 23, 2026 Oct 26, 2006 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in index.php in phplist 2.10.2 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: This issue might overlap CVE-2006-5321.

Previous 12