Security Research & Advisories

Stored Cross-Site Scripting(XSS) Vulnerability in phpList 3.5.4

Product phpList
Affected Version(s) 3.5.4-RC1, 3.5.3 and probably prior
Tested Version(s) 3.5.4-RC1 and 3.5.3
Vendor Notification May 20, 2020
Advisory Publication May 20, 2020 [without technical details]
Vendor Fix N/A
Public Disclosure N/A
Latest Modification May 20, 2020
CVE Identifier(s) Pending
Product Description phpList delivers Open Source email marketing, including analytics, list segmentation, content personalization and bounce processing.
Credits Carlos Ramírez L. Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Stored Cross-Site Scripting (XSS) Vulnerability
Severity: Medium CVSS Score: 5.4 CWE-ID: CWE-79 Status: Not Fixed
Vulnerability Description
The phpList web application is affected by stored Cross-Site Scripting (XSS) vulnerability affecting version 3.5.4-RC1, 3.5.3 and probably prior versions. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required Low Integrity Impact Low
User Interaction Required Availability Impact None


Full details about the vulnerability will be disclosed once the vendor has provided a patch.