Software PhpList Status Open
Version 3.6.0 Severity Medium
Publication 27 – January – 2021 CVSS Score 5.4
Credits Luis Daniel Hernández Guadarrama | WeHackMX CVE CVE-2021-3338

Vulnerability Details

The phpList application version 3.6.0 is vulnerable to Stored Cross-Site Scripting, an attacker can execute external JavaScript code in the web application thorugh “description” parameter to steal credentials, session cookies or execute arbitrary actions. 

In the following screenshot we can see a proof of concept (PoC). First, we must select “Añadir una lista” option.

 

The application avoids adding the <script> string, however it is possible to bypass the filtering by using variations, as shown in the following screenshot, we add in the variable “description” the code <body onafterprint=alert(‘WeHackMx’)>.

 

Finally, when the web page is refreshed the script code is executed, displaying a message box as part of the proof of concept.