Total
37 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-35708 | 1 Phplist | 1 Phplist | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page. | |||||
| CVE-2020-23361 | 1 Phplist | 1 Phplist | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters. | |||||
| CVE-2021-3188 | 1 Phplist | 1 Phplist | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports. | |||||
| CVE-2020-15072 | 1 Phplist | 1 Phplist | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section. | |||||
| CVE-2020-13827 | 1 Phplist | 1 Phplist | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php. | |||||
| CVE-2020-12639 | 1 Phplist | 1 Phplist | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php. | |||||
| CVE-2020-15073 | 1 Phplist | 1 Phplist | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section. | |||||
| CVE-2020-8547 | 1 Phplist | 1 Phplist | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters. | |||||
| CVE-2014-2916 | 1 Phplist | 1 Phplist | 2024-02-04 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/. | |||||
| CVE-2012-3953 | 1 Phplist | 1 Phplist | 2024-02-04 | 7.5 HIGH | N/A |
| SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page. | |||||
| CVE-2012-2740 | 1 Phplist | 1 Phplist | 2024-02-04 | 7.5 HIGH | N/A |
| SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action. | |||||
| CVE-2012-2741 | 1 Phplist | 1 Phplist | 2024-02-04 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a reconcileusers action. | |||||
| CVE-2012-3952 | 1 Phplist | 1 Phplist | 2024-02-04 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page. | |||||
| CVE-2012-4247 | 1 Phplist | 1 Phplist | 2024-02-04 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, or (5) remote_prefix parameter to the import4 page; or the (6) id parameter to the bouncerule page. | |||||
| CVE-2012-4246 | 1 Phplist | 1 Phplist | 2024-02-04 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the (2) footer, (3) status, or (4) testtarget parameter in the send page. | |||||
| CVE-2008-6178 | 2 Fckeditor, Phplist | 2 Fckeditor, Phplist | 2024-02-04 | 7.5 HIGH | N/A |
| Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as used in Falt4 CMS, Nuke ET, and other products, allows remote attackers to execute arbitrary code by creating a file with PHP sequences preceded by a ZIP header, uploading this file via a FileUpload action with the application/zip content type, and then accessing this file via a direct request to the file in UserFiles/File/, probably a related issue to CVE-2005-4094. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2006-5524 | 1 Phplist | 1 Phplist | 2024-02-04 | 6.8 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in phplist 2.10.2 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: This issue might overlap CVE-2006-5321. | |||||