CVE-2012-4247

Phplist < 2.10.18 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2) remote_database, (3) remote_userprefix, (4) remote_password, or (5) remote_prefix parameter to the import4 page; or the (6) id parameter to the bouncerule page.

Exploits (1)

exploitdb WORKING POC

htmlwebappsphp

https://www.exploit-db.com/exploits/18419

View on exploitdb

References (8)

[Patch] http://www.phplist.com/?lid=579

[Various Sources] https://www.httpcs.com/advisories

[Vendor Advisory] https://www.httpcs.com/advisory/httpcs1

[Vendor Advisory] https://www.httpcs.com/advisory/httpcs2

[Vendor Advisory] https://www.httpcs.com/advisory/httpcs3

[Vendor Advisory] https://www.httpcs.com/advisory/httpcs4

[Vendor Advisory] https://www.httpcs.com/advisory/httpcs6

[Vendor Advisory] https://www.httpcs.com/advisory/httpcs7

Scores

EPSS 0.0478

EPSS Percentile 89.3%

Classification

CWE

CWE-79

Status draft

Affected Products (23)

phplist/phplist < 2.10.18

phplist/phplist

phplist/phplist

phplist/phplist

phplist/phplist

phplist/phplist

phplist/phplist

phplist/phplist

phplist/phplist

phplist/phplist

phplist/phplist

phplist/phplist

phplist/phplist

phplist/phplist

phplist/phplist

... and 8 more

Timeline

Published Aug 12, 2012

Tracked Since Feb 18, 2026