CVE-2025-28073
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-28073
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-28073.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-28073
- Published
- 2025-05-08T20:15:29Z
- Modified
- 2025-06-16T21:17:59.891180Z
- Summary
- [none]
- Details
-
phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized.
- References
Affected packages
Git / github.com/phplist/phplist3
Affected ranges
- Type
- GIT
- Repo
- https://github.com/phplist/phplist3
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
3.*
3.2.0
3.2.0-RC1
3.3.0
3.3.2
3.3.3
3.3.6
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.4.9
3.5.0
3.5.1
3.5.2
3.5.3
3.5.5
3.5.6
3.5.7
3.5.8
3.5.9
3.6.0
3.6.1
3.6.2
v.*
v.3.2.2
v.3.3.4
v.3.3.5
v.3.3.7
v.3.3.8
v.3.4.2
v3.*
v3.2.1
v3.2.3
v3.2.4
v3.2.7
v3.3.1
v3.3.8
v3.3.9
v3.6.11
v3.6.11-RC1
v3.6.12
v3.6.12-RC
v3.6.12-RC2
v3.6.14
v3.6.14-RC1
v3.6.15-RC1
v3.6.15-RC2
v3.6.3
v3.6.3-RC1
v3.6.3-RC2
v3.6.4-RC2
v3.6.5
v3.6.6
v3.6.6-RC1
v3.6.6-RC2
v3.6.6-RC3
v3.6.6-RC4
v3.6.6-RC5
v3.6.7-RC1
v3.6.7-RC2
v3.6.8
v3.6.8-RC1
v3.6.8-RC2
v3.6.9-RC1
v3.6.9-RC2