CRITICAL🇬🇧 English

CVE-2020-22249

CVSS 9.8v3.1pub. 2021-07-06upd. 2024-11-21

Remote Code Execution vulnerability in phplist 3.5.1. The application does not check any file extensions stored in the plugin zip file, Uploading a malicious plugin which contains the php files with extensions like PHP,phtml,php7 will be copied to the plugins directory which would lead to the remote code execution

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Phplist

    APP
    Phplist
    3.5.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCE
CWE
Referencje

Powiązane podatności

CVE-2020-23361CRITICAL9.8ten sam produkt

phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, whi...

CVE-2021-3188CRITICAL9.8ten sam produkt

phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.

CVE-2020-8547CRITICAL9.8ten sam produkt

phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashe...

CVE-2017-20029HIGH7.3ten sam produkt

A vulnerability was found in PHPList 3.2.6 and classified as critical. This issue affects some unknown process...

CVE-2020-35708HIGH7.2ten sam produkt

phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Impo...