CVE-2025-28073

Опубликовано: 08 мая 2025

Источник: nvd

CVSS3: 6.1

EPSS Низкий

Описание

phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized.

Ссылки

https://github.com/mLniumm/CVE-2025-28073
Third Party Advisory
https://github.com/phpList/phplist3
Product
https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15
Product
https://www.phplist.org/newslist/phplist-3-6-15-release-notes/
Release Notes

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*

Версия до 3.6.15 (исключая)

EPSS

Процентиль: 14%

0.00044

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

CVE-2025-28073

CVSS3: 6.1

debian

9 месяцев назад

phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting ...

GHSA-4pgh-326f-32p3

CVSS3: 6.1

github

9 месяцев назад

phpList 3.6.3 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized.

EPSS

Процентиль: 14%

0.00044

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79