CVE-2014-2916
https://notcve.org/view.php?id=CVE-2014-2916
Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/. Vulnerabilidad de CSRF en el editor de página de suscripción en phpList anterior a 3.0.6 permite a atacantes remotos secuestrar la autenticación de administradores a través de una solicitud hacia admin/. • http://labs.davidsopas.com/2014/04/phplist-csrf-on-subscription-page.html http://secunia.com/advisories/57893 http://www.phplist.com/?lid=638 http://www.securitytracker.com/id/1030191 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2012-2741 – phpList 2.10.17 - SQL Injection / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2741
Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a reconcileusers action. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en public_html/lists/admin/ en phpList anterior a v2.10.18, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro num en una acción reconcileusers • https://www.exploit-db.com/exploits/18639 http://securitytracker.com/id?1027181 http://www.exploit-db.com/exploits/18639 http://www.openwall.com/lists/oss-security/2012/06/16/1 http://www.openwall.com/lists/oss-security/2012/06/17/2 http://www.securityfocus.com/bid/52657 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php https://mantis.phplist.com/view.php?id=16557 https://www.phplist.com/?lid=567 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-2740 – phpList 2.10.17 - SQL Injection / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2740
SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action. Vulnerabilidad de inyección SQL en public_html/lists/admin en phpList anterior a v2.10.18, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro SortBy en una acción de encontrar. • https://www.exploit-db.com/exploits/18639 http://securitytracker.com/id?1027181 http://www.exploit-db.com/exploits/18639 http://www.openwall.com/lists/oss-security/2012/06/16/1 http://www.openwall.com/lists/oss-security/2012/06/17/2 http://www.securityfocus.com/bid/52657 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php https://mantis.phplist.com/view.php?id=16557 https://www.phplist.com/?lid=567 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2012-4247 – phpList 2.10.9 - Cross-Site Request Forgery / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-4247
Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, or (5) remote_prefix parameter to the import4 page; or the (6) id parameter to the bouncerule page. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en lists/admin/index.php en phpList anterior a v2.10.19, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, o (5) remote_prefix para la página import4; o (6) parámetro id para la página bouncerule. • https://www.exploit-db.com/exploits/18419 http://www.phplist.com/?lid=579 https://www.httpcs.com/advisories https://www.httpcs.com/advisory/httpcs1 https://www.httpcs.com/advisory/httpcs2 https://www.httpcs.com/advisory/httpcs3 https://www.httpcs.com/advisory/httpcs4 https://www.httpcs.com/advisory/httpcs6 https://www.httpcs.com/advisory/httpcs7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-4246 – phpList 2.10.9 - Cross-Site Request Forgery / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-4246
Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the (2) footer, (3) status, or (4) testtarget parameter in the send page. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en lists/admin/index.php en phpList anterior a v2.10.19, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro (1) page o (2) footer, (3) status, o (4) testtarget en la página send. • https://www.exploit-db.com/exploits/18419 http://www.phplist.com/?lid=579 https://www.httpcs.com/advisories https://www.httpcs.com/advisory/httpcs23 https://www.httpcs.com/advisory/httpcs24 https://www.httpcs.com/advisory/httpcs25 https://www.httpcs.com/advisory/httpcs26 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •