CVE-2012-5228 – phpList 2.10.9 - Cross-Site Request Forgery / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-5228
Cross-site scripting (XSS) vulnerability in admin/index.php in phplist 2.10.9, 2.10.17, and possibly other versions before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the testtarget parameter. NOTE: some of these details are obtained from third party information. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en admin/index.php en phplist v2.10.9, v2.10.17, y posiblemente otras versiones anteriores a v2.10.19, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro testtarget. NOTA: algunos de estos detalles se han obtenido de terceros. • https://www.exploit-db.com/exploits/18419 http://osvdb.org/78548 http://secunia.com/advisories/47727 http://www.exploit-db.com/exploits/18419 http://www.securityfocus.com/bid/51681 https://exchange.xforce.ibmcloud.com/vulnerabilities/72747 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-1682 – phpList 2.10.9 - Cross-Site Request Forgery / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-1682
Multiple cross-site request forgery (CSRF) vulnerabilities in phpList 2.10.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create a list or (2) insert cross-site scripting (XSS) sequences. NOTE: this issue exists because of an incomplete fix for CVE-2011-0748. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en phpList v2.10.13 y anteriores permiten a atacantes remotos secuestras la autenticación de los adminitradores para peticiones que (1) creen una lista o (2) inserten secuencias de comandos en sitios cruzados (XSS). NOTA: esta vulnerabilidad existe por una solución incompleta de CVE-2011-0748. • https://www.exploit-db.com/exploits/18419 http://secunia.com/advisories/44041 https://exchange.xforce.ibmcloud.com/vulnerabilities/66666 https://exchange.xforce.ibmcloud.com/vulnerabilities/66816 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2011-0748 – phpList 2.10.9 - Cross-Site Request Forgery / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-0748
Multiple cross-site request forgery (CSRF) vulnerabilities in phpList before 2.10.13 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) edit administrator accounts. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en phpList anterior a v2.10.13, permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que (1) añaden o (2) editan cuentas de administrador. • https://www.exploit-db.com/exploits/18419 http://int21.de/cve/CVE-2011-0748-phplist.html http://osvdb.org/78549 http://secunia.com/advisories/44041 http://securityreason.com/securityalert/8199 http://www.exploit-db.com/exploits/18419 http://www.phplist.com/?lid=516 http://www.securityfocus.com/archive/1/517400/100/0/threaded http://www.securityfocus.com/bid/51681 https://exchange.xforce.ibmcloud.com/vulnerabilities/72746 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2009-0422 – phpList 2.10.8 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2009-0422
Dynamic variable evaluation vulnerability in lists/admin.php in phpList 2.10.8 and earlier, when register_globals is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the _SERVER[ConfigFile] parameter to admin/index.php. Vulnerabilidad de evaluación de variable dinámica en lists/admin.php en phpList v2.10.8 y versiones anteriores, cuando register_globals no está activa, permite a atacantes remotos incluir y ejecutar ficheros locales de su elección a través de secuencias de salto de directorio en el parámetro "_SERVER[ConfigFile]" de admin/index.php. • https://www.exploit-db.com/exploits/7778 http://secunia.com/advisories/33533 http://www.bugreport.ir/index_60.htm http://www.securityfocus.com/archive/1/500057/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/47945 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2008-5887
https://notcve.org/view.php?id=CVE-2008-5887
phplist before 2.10.8 allows remote attackers to include files via unknown vectors, related to a "local file include vulnerability." phplist anterior a v2.10.8 permite a atacantes remotos incluir ficheros a través de vectores desconocidos, relacionada a una "vulnerabilidad de inclusión de un fichero local." • http://secunia.com/advisories/33186 http://securityreason.com/securityalert/4901 http://www.phplist.com/?lid=273 http://www.securityfocus.com/archive/1/499218/100/0/threaded http://www.securityfocus.com/bid/32841 https://exchange.xforce.ibmcloud.com/vulnerabilities/47395 • CWE-20: Improper Input Validation •