phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPhplist
APPPhplist3.5.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Related vulnerabilities
CVE-2020-22249CRITICAL9.8ten sam produkt
Remote Code Execution vulnerability in phplist 3.5.1. The application does not check any file extensions store...
CVE-2021-3188CRITICAL9.8ten sam produkt
phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.
CVE-2020-8547CRITICAL9.8ten sam produkt
phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashe...
CVE-2017-20029HIGH7.3ten sam produkt
A vulnerability was found in PHPList 3.2.6 and classified as critical. This issue affects some unknown process...
CVE-2020-35708HIGH7.2ten sam produkt
phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Impo...