Vulnerabilities (CVE)

Filtered by vendor Phplist Subscribe
Total 39 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-23208 1 Phplist 1 Phplist 2024-02-28 3.5 LOW 5.4 MEDIUM
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Send test" field under the "Start or continue campaign" module.
CVE-2020-23361 1 Phplist 1 Phplist 2024-02-28 7.5 HIGH 9.8 CRITICAL
phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
CVE-2021-3188 1 Phplist 1 Phplist 2024-02-28 10.0 HIGH 9.8 CRITICAL
phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.
CVE-2020-35708 1 Phplist 1 Phplist 2024-02-28 6.5 MEDIUM 7.2 HIGH
phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page.
CVE-2020-15073 1 Phplist 1 Phplist 2024-02-28 3.5 LOW 5.4 MEDIUM
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
CVE-2020-15072 1 Phplist 1 Phplist 2024-02-28 6.5 MEDIUM 8.8 HIGH
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
CVE-2020-12639 1 Phplist 1 Phplist 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php.
CVE-2020-13827 1 Phplist 1 Phplist 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.
CVE-2020-8547 1 Phplist 1 Phplist 2024-02-28 7.5 HIGH 9.8 CRITICAL
phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
CVE-2014-2916 1 Phplist 1 Phplist 2024-02-28 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/.
CVE-2012-4246 1 Phplist 1 Phplist 2024-02-28 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the (2) footer, (3) status, or (4) testtarget parameter in the send page.
CVE-2012-3952 1 Phplist 1 Phplist 2024-02-28 2.6 LOW N/A
Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page.
CVE-2012-4247 1 Phplist 1 Phplist 2024-02-28 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, or (5) remote_prefix parameter to the import4 page; or the (6) id parameter to the bouncerule page.
CVE-2012-3953 1 Phplist 1 Phplist 2024-02-28 7.5 HIGH N/A
SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page.
CVE-2012-2740 1 Phplist 1 Phplist 2024-02-28 7.5 HIGH N/A
SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action.
CVE-2012-2741 1 Phplist 1 Phplist 2024-02-28 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a reconcileusers action.
CVE-2008-6178 2 Fckeditor, Phplist 2 Fckeditor, Phplist 2024-02-28 7.5 HIGH N/A
Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as used in Falt4 CMS, Nuke ET, and other products, allows remote attackers to execute arbitrary code by creating a file with PHP sequences preceded by a ZIP header, uploading this file via a FileUpload action with the application/zip content type, and then accessing this file via a direct request to the file in UserFiles/File/, probably a related issue to CVE-2005-4094. NOTE: some of these details are obtained from third party information.
CVE-2006-5524 1 Phplist 1 Phplist 2024-02-28 6.8 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in index.php in phplist 2.10.2 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: This issue might overlap CVE-2006-5321.
CVE-2004-2744 1 Phplist 1 Mailing List Manager 2024-02-28 5.0 MEDIUM N/A
Unspecified vulnerability in Tincan Limited PHPlist before 2.8.12 has unknown impact and attack vectors, related to a "security update release."