phpList - SQL Injection (Authenticated)

Version : 3.5.9

Date: 12.15.2020

Vendor : https://www.phplist.com

CVE : CVE-2020-35708

Description: phpList Version 3.5.9 is affected by SQL injection vulnerability because of improper handling of imported administrator files.

phpList allows the user who logs in as “admin”, to import files in the “Config - Import Administrators” page. The first 3 lines are perceived as email, loginname, password, and the 4th line as an attribute. The attacker can inject his/her own SQL query on line 4.

Creating malicious file:

Creating malicious file

Importing malicious file:

Importing malicious file

SQL injection vulnerability:

SQL Injection