CVE-2020-15073
https://notcve.org/view.php?id=CVE-2020-15073
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section. Se detectó un problema en phpList versiones hasta 3.5.4. Se produce una vulnerabilidad de tipo XSS en la sección Import Administrators mediante la carga de un documento de texto editado. • https://blog.telspace.co.za/2020/07/phplist-cve-2020-15072-cve-2020-15073.html https://discuss.phplist.org/t/phplist-3-5-5-has-been-released/6377 https://www.phplist.org/newslist/phplist-3-5-5-release-notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-13827
https://notcve.org/view.php?id=CVE-2020-13827
phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php. phpList versiones anteriores a 3.5.4, permite un ataque de tipo XSS por medio de los archivos /lists/admin/user.php y /lists/admin/users.php • https://www.phplist.org/newslist/phplist-3-5-4-release-notes https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-004 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-12639
https://notcve.org/view.php?id=CVE-2020-12639
phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php. phpList versiones anteriores a la versión 3.5.3, permiten un ataque de tipo XSS, dando como resultado una ascenso de privilegios, por medio del archivo lists/admin/template.php. • https://github.com/phpList/phplist3/compare/3.5.2...3.5.3 https://www.phplist.org/newslist/phplist-3-5-3-release-notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-8547 – phpList 3.5.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2020-8547
phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters. phpList versión 3.5.0, permite el malabarismo de tipos (type juggling) para omitir el inicio de sesión de administrador porque se utiliza == en lugar de === para los hashes de contraseña, que maneja inapropiadamente los hash que comienzan con 0e seguido de caracteres numéricos exclusivamente. • https://www.exploit-db.com/exploits/47989 •
CVE-2015-3345
https://notcve.org/view.php?id=CVE-2015-3345
SQL injection vulnerability in the PHPlist Integration Module before 6.x-1.7 for Drupal allows remote administrators to execute arbitrary SQL commands via unspecified vectors, related to the "phpList database." Vulnerabilidad de inyección SQL en el módulo PHPlist Integration anterior a 6.x-1.7 para Drupal permite a administradores remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados, relacionado con la 'base de datos de phpList.' • http://www.openwall.com/lists/oss-security/2015/01/29/6 http://www.securityfocus.com/bid/72634 https://www.drupal.org/node/2402517 https://www.drupal.org/node/2403343 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •