CVE-2025-28073 is a reflected Cross-Site Scripting (XSS) vulnerability affecting phpList versions prior to 3.6.15. The vulnerability exists in the /lists/dl.php endpoint, where the 'id' parameter is improperly sanitized. An attacker can craft a malicious URL containing JavaScript code embedded within the 'id' parameter. When a victim clicks this URL, the injected script executes in the context of the victim's browser session with phpList, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect the user to malicious sites. Reflected XSS vulnerabilities require user interaction, typically clicking a crafted link, and do not persist on the server. The CVSS 3.1 base score is 6.1 (medium severity), reflecting that the attack vector is network-based with low attack complexity, no privileges required, but user interaction is necessary. The scope is changed (S:C) indicating that the vulnerability can affect components beyond the vulnerable component, and the impact is limited to confidentiality and integrity with no availability impact. No known exploits are reported in the wild yet, but the vulnerability is publicly disclosed and patched in version 3.6.15. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the root cause. This vulnerability is typical of web applications that fail to properly sanitize user-supplied input before reflecting it in HTTP responses, enabling script injection.

For European organizations using phpList for managing mailing lists and communications, this vulnerability poses a risk of session hijacking, phishing, and unauthorized actions performed under the victim's credentials. Attackers could exploit this to compromise user accounts, steal sensitive information, or manipulate mailing lists, potentially leading to reputational damage and data breaches. Since phpList is often used by marketing, non-profits, and internal communications teams, exploitation could disrupt communication workflows and erode trust. The reflected XSS requires user interaction, so targeted phishing campaigns could be used to exploit this vulnerability. The impact on confidentiality and integrity, while limited, can be significant if attackers gain access to privileged accounts or sensitive subscriber data. Additionally, the scope change indicates that the vulnerability might affect other components or services integrated with phpList, increasing the potential attack surface. Given the medium severity and no known exploits yet, the risk is moderate but should be addressed promptly to prevent exploitation.

European organizations should immediately upgrade phpList to version 3.6.15 or later, where this vulnerability is patched. If upgrading is not immediately feasible, implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'id' parameter in /lists/dl.php requests. Conduct a thorough audit of all URLs and user inputs to ensure proper input validation and output encoding, particularly for parameters reflected in HTTP responses. Educate users and administrators about the risks of clicking unsolicited links, especially those purporting to be from internal mailing lists. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly monitor logs for suspicious activity related to the vulnerable endpoint. Finally, integrate vulnerability scanning into the software update lifecycle to detect and remediate such issues proactively.