CVE-2025-28074

{"id": "CVE-2025-28074", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-05-08T21:15:50.200", "references": [{"url": "https://github.com/mLniumm/CVE-2025-28074", "source": "cve@mitre.org"}, {"url": "https://github.com/phpList/phplist3/blob/main/public_html/lists/lt.php", "source": "cve@mitre.org"}, {"url": "https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15", "source": "cve@mitre.org"}, {"url": "https://www.phplist.org/newslist/phplist-3-6-15-release-notes/", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript."}, {"lang": "es", "value": "Las versiones anteriores a phpList 3.6.3 son vulnerables a ataques de cross site scripting (XSS) debido a una depuraci\u00f3n incorrecta de la entrada en lt.php. Esta vulnerabilidad se puede explotar cuando la aplicaci\u00f3n hace referencia din\u00e1micamente a rutas internas y procesa entradas no confiables sin escapar, lo que permite a un atacante inyectar JavaScript malicioso."}], "lastModified": "2025-06-07T15:15:21.747", "sourceIdentifier": "cve@mitre.org"}