phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.
References
Link | Resource |
---|---|
https://github.com/mLniumm/CVE-2025-28074 | Third Party Advisory |
https://github.com/phpList/phplist3/blob/main/public_html/lists/lt.php | Product |
https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15 | Product |
https://www.phplist.org/newslist/phplist-3-6-15-release-notes/ | Release Notes |
Configurations
History
16 Jun 2025, 18:39
Type | Values Removed | Values Added |
---|---|---|
First Time |
Phplist
Phplist phplist |
|
References | () https://github.com/mLniumm/CVE-2025-28074 - Third Party Advisory | |
References | () https://github.com/phpList/phplist3/blob/main/public_html/lists/lt.php - Product | |
References | () https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15 - Product | |
References | () https://www.phplist.org/newslist/phplist-3-6-15-release-notes/ - Release Notes | |
CPE | cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:* |
07 Jun 2025, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | (en) phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript. |
12 May 2025, 22:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
CWE | CWE-79 |
12 May 2025, 17:32
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
08 May 2025, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-05-08 21:15
Updated : 2025-06-16 18:39
NVD link : CVE-2025-28074
Mitre link : CVE-2025-28074
CVE.ORG link : CVE-2025-28074
JSON object : View
Products Affected
phplist
- phplist
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')