Lucene search

GoogleOSV:BIT-PHPLIST-2021-3188

HistoryMar 06, 2024 - 11:01 a.m.

BIT-phplist-2021-3188

2024-03-0611:01:34

Google

osv.dev

phplist

csv injection

email parameter

software

security vulnerability

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

79.4%

JSON

phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.

CPENameOperatorVersion
phplistle3.6.0
phplistge3.6.0

CPE	Name	Operator	Version
	phplist	le	3.6.0
	phplist	ge	3.6.0

References

wehackmx.com/security-research/WeHackMX-2021-001/

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

79.4%

JSON

Related for OSV:BIT-PHPLIST-2021-3188