cbcvebase.

Tincan Phplist vulnerabilities

12 known vulnerabilities affecting tincan/phplist.

Total CVEs
12
CISA KEV
0
Public exploits
7
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM10

Vulnerabilities

Page 1 of 1
CVE-2009-0422P3HIGHCVSS 7.5PoC≤ 2.10.8v1.0+68 more2009-02-05
CVE-2009-0422 [HIGH] CWE-94 CVE-2009-0422: Dynamic variable evaluation vulnerability in lists/admin.php in phpList 2.10.8 and earlier, when reg Dynamic variable evaluation vulnerability in lists/admin.php in phpList 2.10.8 and earlier, when register_globals is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the _SERVER[ConfigFile] parameter to admin/index.php.
nvd
CVE-2005-3555P4MEDIUMCVSS 6.5PoC≤ 2.10.12005-11-16
CVE-2005-3555 [MEDIUM] CVE-2005-3555: Multiple SQL injection vulnerabilities in PHPlist 2.10.1 and earlier allow authenticated remote atta Multiple SQL injection vulnerabilities in PHPlist 2.10.1 and earlier allow authenticated remote attackers with administrator privileges to execute arbitrary SQL commands via the id parameter in the (1) editattributes or (2) admin page.
nvd
CVE-2011-0748P4MEDIUMCVSS 6.8PoC≤ 2.10.12v1.0+72 more2011-04-13
CVE-2011-0748 [MEDIUM] CWE-352 CVE-2011-0748: Multiple cross-site request forgery (CSRF) vulnerabilities in phpList before 2.10.13 allow remote at Multiple cross-site request forgery (CSRF) vulnerabilities in phpList before 2.10.13 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) edit administrator accounts.
nvd
CVE-2005-3556P4MEDIUMCVSS 4.3PoC≤ 2.10.12005-11-16
CVE-2005-3556 [MEDIUM] CVE-2005-3556: Multiple cross-site scripting (XSS) vulnerabilities in PHPlist 2.10.1 and earlier allow remote attac Multiple cross-site scripting (XSS) vulnerabilities in PHPlist 2.10.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) listname parameter in (a) admin/editlist.php, (2) title parameter in (b) admin/spageedit.php, (3) title field in (c) admin/template.php, (4) filter, (5) delete, and (6) start parameters in (d) admin/eventl
nvd
CVE-2012-5228P4MEDIUMCVSS 4.3PoC≤ 2.10.18v1.0+79 more2012-10-01
CVE-2012-5228 [MEDIUM] CWE-79 CVE-2012-5228: Cross-site scripting (XSS) vulnerability in admin/index.php in phplist 2.10.9, 2.10.17, and possibly Cross-site scripting (XSS) vulnerability in admin/index.php in phplist 2.10.9, 2.10.17, and possibly other versions before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the testtarget parameter. NOTE: some of these details are obtained from third party information.
nvd
CVE-2011-1682P4MEDIUMCVSS 4.3PoC≤ 2.10.13v1.0+73 more2011-04-13
CVE-2011-1682 [MEDIUM] CVE-2011-1682: Multiple cross-site request forgery (CSRF) vulnerabilities in phpList 2.10.13 and earlier allow remo Multiple cross-site request forgery (CSRF) vulnerabilities in phpList 2.10.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create a list or (2) insert cross-site scripting (XSS) sequences. NOTE: this issue exists because of an incomplete fix for CVE-2011-0748. NOTE: the provenance of this information
nvd
CVE-2006-5294P4MEDIUMCVSS 4.3PoC≤ 2.10.2v2.6+6 more2006-10-16
CVE-2006-5294 [MEDIUM] CVE-2006-5294: Cross-site scripting (XSS) vulnerability in index.php in phplist before 2.10.3 allows remote attacke Cross-site scripting (XSS) vulnerability in index.php in phplist before 2.10.3 allows remote attackers to inject arbitrary web script or HTML via the unsubscribeemail parameter.
nvd
CVE-2006-5322P3HIGHCVSS 7.5≤ 2.10.2v2.8.12+4 more2006-10-17
CVE-2006-5322 [HIGH] CVE-2006-5322: Multiple SQL injection vulnerabilities in phplist before 2.10.3 allow remote attackers to execute ar Multiple SQL injection vulnerabilities in phplist before 2.10.3 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2008-5887P4MEDIUMCVSS 5.0≤ 2.10.7v1.0+67 more2009-01-12
CVE-2008-5887 [MEDIUM] CWE-20 CVE-2008-5887: phplist before 2.10.8 allows remote attackers to include files via unknown vectors, related to a "lo phplist before 2.10.8 allows remote attackers to include files via unknown vectors, related to a "local file include vulnerability."
nvd
CVE-2005-3557P4MEDIUMCVSS 5.0≤ 2.10.12005-11-16
CVE-2005-3557 [MEDIUM] CVE-2005-3557: Directory traversal vulnerability in admin/defaults.php in PHPlist 2.10.1 and earlier allows remote Directory traversal vulnerability in admin/defaults.php in PHPlist 2.10.1 and earlier allows remote attackers to access arbitrary files via a .. (dot dot) in the selected%5B%5D parameter in an HTTP POST request.
nvd
CVE-2006-1746P4MEDIUMCVSS 5.0≤ 2.10.2v2.6+11 more2006-04-12
CVE-2006-1746 [MEDIUM] CWE-22 CVE-2006-1746: Directory traversal vulnerability in PHPList 2.10.2 and earlier allows remote attackers to include a Directory traversal vulnerability in PHPList 2.10.2 and earlier allows remote attackers to include arbitrary local files via the (1) GLOBALS[database_module] or (2) GLOBALS[language_module] parameters, which overwrite the underlying $GLOBALS variable.
nvd
CVE-2006-5321P4MEDIUMCVSS 4.3≤ 2.10.2v2.6+11 more2006-10-17
CVE-2006-5321 [MEDIUM] CVE-2006-5321: Multiple cross-site scripting (XSS) vulnerabilities in phplist before 2.10.3 allow remote attackers Multiple cross-site scripting (XSS) vulnerabilities in phplist before 2.10.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
Tincan Phplist vulnerabilities | cvebase