PT-2012-4227 · Phplist · Phplist

Gjoko Krstic

Published

2012-09-06

Updated

2012-09-13

CVE-2012-2740

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions phpList versions prior to 2.10.18

Description The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the sortby parameter in a find action, specifically targeting the public html/lists/admin area.

Recommendations For versions prior to 2.10.18, update to version 2.10.18 or later to resolve the issue. As a temporary workaround, consider restricting access to the public html/lists/admin area or avoiding the use of the sortby parameter in find actions until the update is applied.

Exploit

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2012-2740

Affected Products

Phplist

PT-2012-4227 · Phplist · Phplist

CVE-2012-2740

Weakness Enumeration

Related Identifiers

Affected Products

References · 11