CVE-2025-28074

phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.
Configurations

No configuration.

History

07 Jun 2025, 15:15

Type Values Removed Values Added
Summary (en) phpList prior to 3.6.3 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript. (en) phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.
References
  • () https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15 -
  • () https://www.phplist.org/newslist/phplist-3-6-15-release-notes/ -

12 May 2025, 22:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1
CWE CWE-79

12 May 2025, 17:32

Type Values Removed Values Added
Summary
  • (es) Las versiones anteriores a phpList 3.6.3 son vulnerables a ataques de cross site scripting (XSS) debido a una depuración incorrecta de la entrada en lt.php. Esta vulnerabilidad se puede explotar cuando la aplicación hace referencia dinámicamente a rutas internas y procesa entradas no confiables sin escapar, lo que permite a un atacante inyectar JavaScript malicioso.

08 May 2025, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-05-08 21:15

Updated : 2025-06-07 15:15


NVD link : CVE-2025-28074

Mitre link : CVE-2025-28074

CVE.ORG link : CVE-2025-28074


JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')