Vulnerabilities

alexmateescu34 · February 28, 2022, 10:49am

Hi all.

Upon scanning for vulnerabilities on the latest phplist (3.6.7) the following were found:

CVE-2020-35708: SQL injection by admins who provide a crafted fourth line of a file to the ‘Config - Import Administrators’ page
CVE-2021-3188: CSV injection, related to the email parameter, and /lists/admin/ exports

As they are quite old at this time i was wondering when can they be patched?

Regards

Alex

aulona_kolicaj · March 1, 2022, 1:29pm

Hi Alex,

Regarding reporting a security issue please see https://github.com/phpList/phplist3/blob/master/CONTRIBUTING.md .
Reporting it directly gives us the best chance of identifying what occurred and remediating it immediately protecting our service.

Regards,
Aulona

michiel · March 1, 2022, 7:35pm

Bottom line, the scanner being used is outdated (by the looks of it)