Listen to this Post
How the CVE Works:
CVE-2025-28073 affects phpList versions before 3.6.15. The vulnerability arises in the `/lists/dl.php` endpoint due to insufficient sanitization of the `id` parameter. An attacker can craft a malicious URL containing JavaScript payloads, which are then executed in the victim’s browser when the link is clicked. This reflected XSS attack allows session hijacking, defacement, or phishing.
DailyCVE Form:
Platform: phpList
Version: < 3.6.15
Vulnerability: Reflected XSS
Severity: Medium
Date: 06/17/2025
Prediction: Patch by 07/15/2025
What Undercode Say:
Analytics:
curl -X GET "http://target/lists/dl.php?id=<script>alert(1)</script>"
payload = "<img src=x onerror=alert(document.cookie)>"
How Exploit:
- Craft malicious URL with `id` parameter containing XSS payload.
- Social-engineer victim to click the link.
- Steal cookies or redirect to phishing page.
Protection from this CVE:
- Update to phpList 3.6.15+.
- Sanitize `id` parameter input.
- Implement CSP headers.
Impact:
- Session hijacking.
- Unauthorized actions.
- Data leakage.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
