phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.
References
Configurations
No configuration.
History
07 Jun 2025, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | (en) phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript. |
12 May 2025, 22:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
CWE | CWE-79 |
12 May 2025, 17:32
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
08 May 2025, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-05-08 21:15
Updated : 2025-06-07 15:15
NVD link : CVE-2025-28074
Mitre link : CVE-2025-28074
CVE.ORG link : CVE-2025-28074
JSON object : View
Products Affected
No product.
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')