CVSS: 9.8EPSS: 12%CPEs: 1EXPL: 1CVE-2020-8547 – phpList 3.5.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2020-8547
phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters. phpList versión 3.5.0, permite el malabarismo de tipos (type juggling) para omitir el inicio de sesión de administrador porque se utiliza == en lugar de === para los hashes de contraseña, que maneja inapropiadamente los hash que comienzan con 0e seguido de caracteres numéricos exclusivamente. • https://www.exploit-db.com/exploits/47989 •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 1CVE-2014-2916
https://notcve.org/view.php?id=CVE-2014-2916
Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/. Vulnerabilidad de CSRF en el editor de página de suscripción en phpList anterior a 3.0.6 permite a atacantes remotos secuestrar la autenticación de administradores a través de una solicitud hacia admin/. • http://labs.davidsopas.com/2014/04/phplist-csrf-on-subscription-page.html http://secunia.com/advisories/57893 http://www.phplist.com/?lid=638 http://www.securitytracker.com/id/1030191 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 81EXPL: 2CVE-2012-5228 – phpList 2.10.9 - Cross-Site Request Forgery / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-5228
Cross-site scripting (XSS) vulnerability in admin/index.php in phplist 2.10.9, 2.10.17, and possibly other versions before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the testtarget parameter. NOTE: some of these details are obtained from third party information. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en admin/index.php en phplist v2.10.9, v2.10.17, y posiblemente otras versiones anteriores a v2.10.19, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro testtarget. NOTA: algunos de estos detalles se han obtenido de terceros. • https://www.exploit-db.com/exploits/18419 http://osvdb.org/78548 http://secunia.com/advisories/47727 http://www.exploit-db.com/exploits/18419 http://www.securityfocus.com/bid/51681 https://exchange.xforce.ibmcloud.com/vulnerabilities/72747 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 16EXPL: 3CVE-2012-2740 – phpList 2.10.17 - SQL Injection / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2740
SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action. Vulnerabilidad de inyección SQL en public_html/lists/admin en phpList anterior a v2.10.18, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro SortBy en una acción de encontrar. • https://www.exploit-db.com/exploits/18639 http://securitytracker.com/id?1027181 http://www.exploit-db.com/exploits/18639 http://www.openwall.com/lists/oss-security/2012/06/16/1 http://www.openwall.com/lists/oss-security/2012/06/17/2 http://www.securityfocus.com/bid/52657 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php https://mantis.phplist.com/view.php?id=16557 https://www.phplist.com/?lid=567 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 16EXPL: 3CVE-2012-2741 – phpList 2.10.17 - SQL Injection / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2741
Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a reconcileusers action. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en public_html/lists/admin/ en phpList anterior a v2.10.18, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro num en una acción reconcileusers • https://www.exploit-db.com/exploits/18639 http://securitytracker.com/id?1027181 http://www.exploit-db.com/exploits/18639 http://www.openwall.com/lists/oss-security/2012/06/16/1 http://www.openwall.com/lists/oss-security/2012/06/17/2 http://www.securityfocus.com/bid/52657 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php https://mantis.phplist.com/view.php?id=16557 https://www.phplist.com/?lid=567 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •