CVE-2012-4247

phplist < 2.10.19 - Cross-Site Scripting via Multiple Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-4247.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability to add an admin account and an XSS vulnerability in phplist 2.10.9. The CSRF form submits crafted parameters to create a privileged user, while the XSS form injects arbitrary script via the 'testtarget' parameter.

Description

Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, or (5) remote_prefix parameter to the import4 page; or the (6) id parameter to the bouncerule page.

Exploits (1)

exploitdb WORKING POC

htmlwebappsphp

https://www.exploit-db.com/exploits/18419

View Code ZIP pw:eip

This exploit demonstrates a CSRF vulnerability to add an admin account and an XSS vulnerability in phplist 2.10.9. The CSRF form submits crafted parameters to create a privileged user, while the XSS form injects arbitrary script via the 'testtarget' parameter.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: phplist version 2.10.9

No auth needed

Prerequisites: Victim must visit a malicious page hosting the exploit forms · Target application must be phplist 2.10.9

MITRE ATT&CK