PT-2025-20411 · Phplist · Phplist
Published
2025-05-08
·
Updated
2025-06-16
·
CVE-2025-28073
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
phplist version 3.6.3
Description
The issue concerns a Reflected Cross-Site Scripting (XSS) vulnerability. It allows an attacker to inject arbitrary JavaScript code by manipulating the
id parameter in the "/lists/dl.php" endpoint, due to improper sanitization.Recommendations
For phplist version 3.6.3, as a temporary workaround, consider restricting access to the "/lists/dl.php" endpoint until a patch is available. Avoid using the
id parameter in the affected endpoint until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Phplist