Vulnerabilities > Phplist

DATE CVE VULNERABILITY TITLE RISK
2021-07-01 CVE-2020-23217 Cross-site Scripting vulnerability in PHPlist 3.5.3
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add a list" field under the "Import Emails" module.
network
phplist CWE-79
3.5
3.5
2021-01-27 CVE-2020-23361 Incorrect Comparison vulnerability in PHPlist 3.5.3
phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
network
low complexity
phplist CWE-697
7.5
7.5
2021-01-26 CVE-2021-3188 Improper Neutralization of Formula Elements in a CSV File vulnerability in PHPlist 3.6.0
phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.
network
low complexity
phplist CWE-1236
critical
 10.0
10
2020-12-25 CVE-2020-35708 SQL Injection vulnerability in PHPlist 3.5.9
phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page.
network
low complexity
phplist CWE-89
6.5
6.5
2020-07-08 CVE-2020-15073 Cross-site Scripting vulnerability in PHPlist
An issue was discovered in phpList through 3.5.4.
network
phplist CWE-79
3.5
3.5
2020-07-08 CVE-2020-15072 SQL Injection vulnerability in PHPlist
An issue was discovered in phpList through 3.5.4.
network
low complexity
phplist CWE-89
6.5
6.5
2020-06-04 CVE-2020-13827 Cross-site Scripting vulnerability in PHPlist
phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.
network
low complexity
phplist CWE-79
6.1
6.1
2020-05-04 CVE-2020-12639 Cross-site Scripting vulnerability in PHPlist
phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php.
network
phplist CWE-79
4.3
4.3
2020-02-03 CVE-2020-8547 Type Confusion vulnerability in PHPlist 3.5.0
phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
network
low complexity
phplist CWE-843
7.5
7.5
2014-05-05 CVE-2014-2916 Cross-Site Request Forgery (CSRF) vulnerability in PHPlist
Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/.
network
phplist CWE-352
6.8
6.8