PT-2005-4345 · Php · Phplist

Tobias Klein

Publicado

2005-11-16

Atualizado

2018-10-19

CVE-2005-3556

CVSS v2.0

4.3

Média

Vetor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions PHPlist versions 2.10.1 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in different PHP files, including the listname parameter in "admin/editlist.php", title parameter in "admin/spageedit.php" and "admin/template.php", filter, delete, and start parameters in "admin/eventlog.php", id parameter in "admin/configure.php", find parameter in "admin/users.php", start parameter in "admin/admin.php", and action parameter in "admin/fckphplist.php".

Recommendations For PHPlist versions 2.10.1 and earlier, consider disabling the affected parameters, such as listname, title, filter, delete, start, id, find, and action, in their respective PHP files until a patch is available. Restrict access to the vulnerable PHP files, including "admin/editlist.php", "admin/spageedit.php", "admin/template.php", "admin/eventlog.php", "admin/configure.php", "admin/users.php", "admin/admin.php", and "admin/fckphplist.php", to minimize the risk of exploitation.

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Identificadores relacionados

CVE-2005-3556

Produtos afetados

Phplist

PT-2005-4345 · Php · Phplist

CVE-2005-3556

Identificadores relacionados

Produtos afetados

Referências · 17