CVE-2023-27576

Name of the Vulnerable Software and Affected Versions phpList versions prior to 3.6.14

Description An issue was discovered due to an access error, allowing manipulation and editing of the system's super admin data, which enables an account takeover of the user with super-admin permission. Specifically, for a request with updatepassword=1, a modified request can bypass the intended email confirmation requirement by manipulating both the ID parameter and the associated username. This can be achieved by changing the ID number to 1, representing the super admin account, and changing the username to a desired value, such as admin2. The attacker can then change the super admin's email address to one under their control and perform a password reset for the super admin account, allowing login as the super admin.

Recommendations For versions prior to 3.6.14, update to version 3.6.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the updatepassword=1 request to minimize the risk of exploitation. Additionally, monitor and restrict changes to the super admin's email address and password reset requests to prevent potential account takeovers.