CVE-2005-3556

Name of the Vulnerable Software and Affected Versions PHPlist versions 2.10.1 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in different PHP files, including the listname parameter in "admin/editlist.php", title parameter in "admin/spageedit.php" and "admin/template.php", filter, delete, and start parameters in "admin/eventlog.php", id parameter in "admin/configure.php", find parameter in "admin/users.php", start parameter in "admin/admin.php", and action parameter in "admin/fckphplist.php".

Recommendations For PHPlist versions 2.10.1 and earlier, consider disabling the affected parameters, such as listname, title, filter, delete, start, id, find, and action, in their respective PHP files until a patch is available. Restrict access to the vulnerable PHP files, including "admin/editlist.php", "admin/spageedit.php", "admin/template.php", "admin/eventlog.php", "admin/configure.php", "admin/users.php", "admin/admin.php", and "admin/fckphplist.php", to minimize the risk of exploitation.