Hi all.
Upon scanning for vulnerabilities on the latest phplist (3.6.7) the following were found:
- CVE-2020-35708: SQL injection by admins who provide a crafted fourth line of a file to the ‘Config - Import Administrators’ page
- CVE-2021-3188: CSV injection, related to the email parameter, and /lists/admin/ exports
As they are quite old at this time i was wondering when can they be patched?
Regards
Alex
Hi Alex,
Regarding reporting a security issue please see https://github.com/phpList/phplist3/blob/master/CONTRIBUTING.md .
Reporting it directly gives us the best chance of identifying what occurred and remediating it immediately protecting our service.
Regards,
Aulona
This is being discussed further here: https://github.com/phpList/phplist3/issues/861
Bottom line, the scanner being used is outdated (by the looks of it)