FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

phpList -- SQL injection and XSS vulnerability

Affected packages
phplist <= 2.10.17


VuXML ID fd8bac56-c444-11e1-864b-001cc0877741
Discovery 2012-03-21
Entry 2012-07-02

Zero Science Lab reports:

Input passed via the parameter 'sortby' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The param 'num' is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user's browser session in context of an affected site.


Bugtraq ID 52657
CVE Name CVE-2012-2740
CVE Name CVE-2012-2741