CVE-2025-28073: n/a
phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized.
AI Analysis
Technical Summary
CVE-2025-28073 is a reflected Cross-Site Scripting (XSS) vulnerability affecting phpList versions prior to 3.6.15. The vulnerability exists in the /lists/dl.php endpoint, where the 'id' parameter is improperly sanitized. An attacker can craft a malicious URL containing JavaScript code embedded within the 'id' parameter. When a victim clicks this URL, the injected script executes in the context of the victim's browser session with phpList, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect the user to malicious sites. Reflected XSS vulnerabilities require user interaction, typically clicking a crafted link, and do not persist on the server. The CVSS 3.1 base score is 6.1 (medium severity), reflecting that the attack vector is network-based with low attack complexity, no privileges required, but user interaction is necessary. The scope is changed (S:C) indicating that the vulnerability can affect components beyond the vulnerable component, and the impact is limited to confidentiality and integrity with no availability impact. No known exploits are reported in the wild yet, but the vulnerability is publicly disclosed and patched in version 3.6.15. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the root cause. This vulnerability is typical of web applications that fail to properly sanitize user-supplied input before reflecting it in HTTP responses, enabling script injection.
Potential Impact
For European organizations using phpList for managing mailing lists and communications, this vulnerability poses a risk of session hijacking, phishing, and unauthorized actions performed under the victim's credentials. Attackers could exploit this to compromise user accounts, steal sensitive information, or manipulate mailing lists, potentially leading to reputational damage and data breaches. Since phpList is often used by marketing, non-profits, and internal communications teams, exploitation could disrupt communication workflows and erode trust. The reflected XSS requires user interaction, so targeted phishing campaigns could be used to exploit this vulnerability. The impact on confidentiality and integrity, while limited, can be significant if attackers gain access to privileged accounts or sensitive subscriber data. Additionally, the scope change indicates that the vulnerability might affect other components or services integrated with phpList, increasing the potential attack surface. Given the medium severity and no known exploits yet, the risk is moderate but should be addressed promptly to prevent exploitation.
Mitigation Recommendations
European organizations should immediately upgrade phpList to version 3.6.15 or later, where this vulnerability is patched. If upgrading is not immediately feasible, implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'id' parameter in /lists/dl.php requests. Conduct a thorough audit of all URLs and user inputs to ensure proper input validation and output encoding, particularly for parameters reflected in HTTP responses. Educate users and administrators about the risks of clicking unsolicited links, especially those purporting to be from internal mailing lists. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly monitor logs for suspicious activity related to the vulnerable endpoint. Finally, integrate vulnerability scanning into the software update lifecycle to detect and remediate such issues proactively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden
CVE-2025-28073: n/a
Description
phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized.
AI-Powered Analysis
Technical Analysis
CVE-2025-28073 is a reflected Cross-Site Scripting (XSS) vulnerability affecting phpList versions prior to 3.6.15. The vulnerability exists in the /lists/dl.php endpoint, where the 'id' parameter is improperly sanitized. An attacker can craft a malicious URL containing JavaScript code embedded within the 'id' parameter. When a victim clicks this URL, the injected script executes in the context of the victim's browser session with phpList, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect the user to malicious sites. Reflected XSS vulnerabilities require user interaction, typically clicking a crafted link, and do not persist on the server. The CVSS 3.1 base score is 6.1 (medium severity), reflecting that the attack vector is network-based with low attack complexity, no privileges required, but user interaction is necessary. The scope is changed (S:C) indicating that the vulnerability can affect components beyond the vulnerable component, and the impact is limited to confidentiality and integrity with no availability impact. No known exploits are reported in the wild yet, but the vulnerability is publicly disclosed and patched in version 3.6.15. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the root cause. This vulnerability is typical of web applications that fail to properly sanitize user-supplied input before reflecting it in HTTP responses, enabling script injection.
Potential Impact
For European organizations using phpList for managing mailing lists and communications, this vulnerability poses a risk of session hijacking, phishing, and unauthorized actions performed under the victim's credentials. Attackers could exploit this to compromise user accounts, steal sensitive information, or manipulate mailing lists, potentially leading to reputational damage and data breaches. Since phpList is often used by marketing, non-profits, and internal communications teams, exploitation could disrupt communication workflows and erode trust. The reflected XSS requires user interaction, so targeted phishing campaigns could be used to exploit this vulnerability. The impact on confidentiality and integrity, while limited, can be significant if attackers gain access to privileged accounts or sensitive subscriber data. Additionally, the scope change indicates that the vulnerability might affect other components or services integrated with phpList, increasing the potential attack surface. Given the medium severity and no known exploits yet, the risk is moderate but should be addressed promptly to prevent exploitation.
Mitigation Recommendations
European organizations should immediately upgrade phpList to version 3.6.15 or later, where this vulnerability is patched. If upgrading is not immediately feasible, implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'id' parameter in /lists/dl.php requests. Conduct a thorough audit of all URLs and user inputs to ensure proper input validation and output encoding, particularly for parameters reflected in HTTP responses. Educate users and administrators about the risks of clicking unsolicited links, especially those purporting to be from internal mailing lists. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly monitor logs for suspicious activity related to the vulnerable endpoint. Finally, integrate vulnerability scanning into the software update lifecycle to detect and remediate such issues proactively.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-03-11T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9816c4522896dcbd6996
Added to database: 5/21/2025, 9:08:38 AM
Last enriched: 7/12/2025, 5:16:49 AM
Last updated: 8/4/2025, 6:20:19 PM
Views: 8
Related Threats
CVE-2025-49559: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) in Adobe Adobe Commerce
MediumCVE-2025-49558: Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) in Adobe Adobe Commerce
MediumCVE-2025-49557: Cross-site Scripting (Stored XSS) (CWE-79) in Adobe Adobe Commerce
HighCVE-2025-49556: Incorrect Authorization (CWE-863) in Adobe Adobe Commerce
HighCVE-2025-49555: Cross-Site Request Forgery (CSRF) (CWE-352) in Adobe Adobe Commerce
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.