Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-13827: phpList 3.5.4 released: Security Release

phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.

CVE
#xss#web#mac#git#php

phpList 3.5.4 is now available for download, including several security fixes reported by: @r0ck3t1973, Songohan22 and Penghui Li, Sarthak Saini and Carlos Ramírez.

Additionally, this release includes a “Beta” version of “Generate Preview” option that makes it possible for you to see how the preview of your campaign will look in most email clients.
You can check what the current implementation can and can not do here and you can propose future improvements in the mantis issue.
Thanks to @samtuke for implementing this.

Changes in this release****Usability improvements and functionality enhancements:

  1. Clickable link at the top of the click stats page — thanks to @samtuke, see [the pull request](https://github.com/phpList/phplist3/pull/656)
  2. Added HTTP_Request2 as a fallback when curl is not available — thanks to @duncanc, see [the pull request](https://github.com/phpList/phplist3/pull/652) for more details.
  3. Updater menu entry is now shown only for superusers
  4. The updater handles deletion of broken symlinks
  5. Help added for the website field on the Settings page and updated help texts about date format and ‘ tracking codes — thanks to @duncanc

Fixes

  1. [Security Fix]: Implement XSS filters in /lists/admin/admin.php and /lists/admin/admins.php — thanks to Sarthak Saini for reporting the issue and @xh3n1 for providing the fix.
  2. [Security Fix]: Implement XSS filter in /lists/admin/user.php and /lists/admin/users.php — thanks to Carlos Ramírez from wizlynx group for reporting the issue.
  3. [Security Fix]: Implement XSS filter in /lists/admin/editattributes.php — thanks to @r0ck3t1973 for reporting the issue
  4. [Security Fix]: Implement XSS filter in /lists/admin/send_core.php — thanks to @r0ck3t1973 for reporting the issue
  5. [Security Fix]: Implement XSS filter in /lists/admin/connect.php and /lists/admin/subscribelib2.php — thanks to @r0ck3t1973 for reporting the issue
  6. [Security Fix]: Implement XSS filter in /lists/admin/configure.php and /lists/admin/list.php — thanks to @r0ck3t1973 for reporting the issue
  7. [Security Fix]: Implement XSS filter in /lists/admin/importsimple.php and /inc/magic_quotes.php — thanks to @Songohan22 for reporting the issue
  8. [Security Fix]: Switch to strict comparison in /lists/admin/index.php and /lists/admin/subscribelib2.php — thanks to @peng-hui for reporting the issue
  9. Updated default list of TLDs — thanks to @duncanc for pointing it out the problem
  10. Fixed incorrect statistics link in German installations, due to incorrect translation see [mantis issue](https://mantis.phplist.org/view.php?id=20183) — please consider that fetching translations won’t fix the issue for now. It’s the update itself that uses the corrected version. Thanks to @jimbocity for reporting it.
  11. Fixed broken link in the Install file — thanks to [Hiroyuki Sato]( https://github.com/hiroyuki-sato)

Other

  • Changed config value for “$database_host ” from ‘localhost’ to ‘dbhost’ — enabling a default setup that works with a DB that is not on the same machine

This release is the work of Duncan Cameron, Sam Tuke, Xheni Myrtaj and other Open Source community members who have submitted bug reports and valuable feedback, as well as phpList Ltd. developers. To get involved in phpList development, check out the developer resources pages.

Report any issues you find with phpList 4 core or REST API to the corresponding repo on GitHub. Please read the contribution guide on how to contribute to these modules.

Support

Need help upgrading your phpList server to the newest version? Ask the community at discuss.phplist.org. Professional support from community experts, as well as manuals, source code, and developer resources, can be found at phplist.org. Report all bugs to the bugtracker!

Want to focus on campaigns and forget hosting headaches? Sign up at phplist.com for an account with everything included. Send from 300 free messages to 30 million messages per month — simple.

This website uses cookies to improve your experience. We’ll assume you’re ok with this, but you can opt-out if you wish.Accept Read More

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907