CVE-2020-35708
published 2020-12-25CVE-2020-35708: phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page.
PriorityP339high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.48%
70.7th percentile
phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phplist | phplist | — | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
MOVEit Transfer - SQL Injection
nuclei·CVSS 9.8
CVE-2023-35708 [CRITICAL] MOVEit Transfer - SQL Injection
MOVEit Transfer - SQL Injection
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
Template:
id: CVE-2023-35708
info:
name: MOVEit Transfer - SQL Injection
author: daffainfo,jjcho
severity: cri
No writeups or analysis indexed.
2020-12-25
Published