Software PhpList Status Open
Version 3.6.0 Severity Medium
Publication 27 – January – 2021 CVSS Score 5.4
Credits Luis Daniel Hernández Guadarrama | WeHackMX CVE N/A

Vulnerability Details

The phpList application version 3.6.0 is vulnerable to Stored Cross-Site Scripting, an attacker can execute external JavaScript code in the web application thorugh “description” parameter to steal credentials, session cookies or execute arbitrary actions. 

In the following screenshot we can see a proof of concept (PoC). First, we must select “Añadir una lista” option.

The application prevents to include the <script> string, however it is possible to bypass the filtering by using variations, as shown in the following screenshot, we included the following payload <body onafterprint=alert(‘WeHackMx’)> in “description” parameter.

Finally, when the web page is refreshed the script code is executed, displaying a message box as part of the PoC.