Phplist
by Phplist
CVEs (52)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-3188 | 0.00 | — | 0.02 | Jan 21, 2021 | phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports. | |||
| CVE-2020-35708 | 0.00 | — | 0.01 | Dec 25, 2020 | phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page. | |||
| CVE-2020-15072 | 0.00 | — | 0.01 | Jul 8, 2020 | An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section. | |||
| CVE-2020-15073 | 0.00 | — | 0.01 | Jul 8, 2020 | An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section. | |||
| CVE-2020-13827 | 0.00 | — | 0.01 | Jun 4, 2020 | phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php. | |||
| CVE-2020-12639 | 0.00 | — | 0.01 | May 4, 2020 | phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php. | |||
| CVE-2014-2916 | 0.00 | — | 0.01 | May 5, 2014 | Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/. | |||
| CVE-2006-5322 | 0.00 | — | 0.01 | Oct 17, 2006 | Multiple SQL injection vulnerabilities in phplist before 2.10.3 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2006-1746 | 0.00 | — | 0.02 | Apr 12, 2006 | Directory traversal vulnerability in PHPList 2.10.2 and earlier allows remote attackers to include arbitrary local files via the (1) GLOBALS[database_module] or (2) GLOBALS[language_module] parameters, which overwrite the underlying $GLOBALS variable. | |||
| CVE-2005-3557 | 0.00 | — | 0.02 | Nov 16, 2005 | Directory traversal vulnerability in admin/defaults.php in PHPlist 2.10.1 and earlier allows remote attackers to access arbitrary files via a .. (dot dot) in the selected%5B%5D parameter in an HTTP POST request. | |||
| CVE-2005-2433 | 0.00 | — | 0.03 | Aug 3, 2005 | PhpList allows remote attackers to obtain sensitive information via a direct request to (1) about.php, (2) connect.php, (3) domainstats.php or (4) usercheck.php in public_html/lists/admin directory, (5) attributes.php, (6) dbcheck.php, (7) importcsv.php, (8) user.php, (9)… | |||
| CVE-2004-2744 | 0.00 | — | 0.01 | Dec 31, 2004 | Unspecified vulnerability in Tincan Limited PHPlist before 2.8.12 has unknown impact and attack vectors, related to a "security update release." |
- CVE-2021-3188Jan 21, 2021risk 0.00cvss —epss 0.02
phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.
- CVE-2020-35708Dec 25, 2020risk 0.00cvss —epss 0.01
phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page.
- CVE-2020-15072Jul 8, 2020risk 0.00cvss —epss 0.01
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
- CVE-2020-15073Jul 8, 2020risk 0.00cvss —epss 0.01
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
- CVE-2020-13827Jun 4, 2020risk 0.00cvss —epss 0.01
phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.
- CVE-2020-12639May 4, 2020risk 0.00cvss —epss 0.01
phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php.
- CVE-2014-2916May 5, 2014risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/.
- CVE-2006-5322Oct 17, 2006risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in phplist before 2.10.3 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2006-1746Apr 12, 2006risk 0.00cvss —epss 0.02
Directory traversal vulnerability in PHPList 2.10.2 and earlier allows remote attackers to include arbitrary local files via the (1) GLOBALS[database_module] or (2) GLOBALS[language_module] parameters, which overwrite the underlying $GLOBALS variable.
- CVE-2005-3557Nov 16, 2005risk 0.00cvss —epss 0.02
Directory traversal vulnerability in admin/defaults.php in PHPlist 2.10.1 and earlier allows remote attackers to access arbitrary files via a .. (dot dot) in the selected%5B%5D parameter in an HTTP POST request.
- CVE-2005-2433Aug 3, 2005risk 0.00cvss —epss 0.03
PhpList allows remote attackers to obtain sensitive information via a direct request to (1) about.php, (2) connect.php, (3) domainstats.php or (4) usercheck.php in public_html/lists/admin directory, (5) attributes.php, (6) dbcheck.php, (7) importcsv.php, (8) user.php, (9)…
- CVE-2004-2744Dec 31, 2004risk 0.00cvss —epss 0.01
Unspecified vulnerability in Tincan Limited PHPlist before 2.8.12 has unknown impact and attack vectors, related to a "security update release."
Page 3 of 3