Vulnerabilities > Phplist

DATE CVE VULNERABILITY TITLE RISK
2021-07-01 CVE-2020-23217 Cross-site Scripting vulnerability in PHPlist 3.5.3
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add a list" field under the "Import Emails" module.
network
low complexity
phplist CWE-79
5.4
2021-01-27 CVE-2020-23361 Unspecified vulnerability in PHPlist 3.5.3
phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
network
low complexity
phplist
critical
9.8
2021-01-26 CVE-2021-3188 Improper Neutralization of Formula Elements in a CSV File vulnerability in PHPlist 3.6.0
phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.
network
low complexity
phplist CWE-1236
critical
9.8
2020-12-25 CVE-2020-35708 SQL Injection vulnerability in PHPlist 3.5.9
phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page.
network
low complexity
phplist CWE-89
7.2
2020-07-08 CVE-2020-15073 Cross-site Scripting vulnerability in PHPlist
An issue was discovered in phpList through 3.5.4.
network
low complexity
phplist CWE-79
5.4
2020-07-08 CVE-2020-15072 SQL Injection vulnerability in PHPlist
An issue was discovered in phpList through 3.5.4.
network
low complexity
phplist CWE-89
8.8
2020-06-04 CVE-2020-13827 Cross-site Scripting vulnerability in PHPlist
phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.
network
low complexity
phplist CWE-79
6.1
2020-05-04 CVE-2020-12639 Cross-site Scripting vulnerability in PHPlist
phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php.
network
low complexity
phplist CWE-79
6.1
2020-02-03 CVE-2020-8547 Unspecified vulnerability in PHPlist 3.5.0
phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
network
low complexity
phplist
critical
9.8