CVSS: 2.6EPSS: 4%CPEs: 23EXPL: 3CVE-2012-3952 – phpList 2.10.18 - 'unconfirmed' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-3952
Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en admin/index.php en phpList anterior a v2.10.19 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro unconfirmed para la página user. phpList version 2.10.18 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/37590 http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html http://osvdb.org/84482 http://secunia.com/advisories/50150 http://www.phplist.com/?lid=579 http://www.securityfocus.com/bid/54887 https://exchange.xforce.ibmcloud.com/vulnerabilities/77526 https://www.htbridge.com/advisory/HTB23100 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 23EXPL: 4CVE-2012-3953 – phpList 2.10.18 - 'index.php' SQL Injection
https://notcve.org/view.php?id=CVE-2012-3953
SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page. Vulnerabilidad de inyección SQL en admin/index.php en phpList anterior a v2.10.19, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro delete para la página editattributes. phpList version 2.10.18 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/37613 http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html http://osvdb.org/84483 http://www.phplist.com/?lid=579 https://exchange.xforce.ibmcloud.com/vulnerabilities/77527 https://www.htbridge.com/advisory/HTB23100 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •