VIR Vulnerability Intelligence Relay

CVE-2011-1682

medium
Published 2011-04-13 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
5.3

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in phpList 2.10.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create a list or (2) insert cross-site scripting (XSS) sequences. NOTE: this issue exists because of an incomplete fix for CVE-2011-0748. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-18419 webapps php verified
Cyber-Crystal ยท 2012-01-26

phpList 2.10.9 - Cross-Site Request Forgery / Cross-Site Scripting

Source code queued for fetch โ€” refresh in a moment.

Application impact
VendorProductVersionsFixed
tincanphplist{"endIncluding":"2.10.13"}
tincanphplist1.0
tincanphplist1.0.1
tincanphplist1.1.2b
tincanphplist1.1.3b
tincanphplist1.1.4b
tincanphplist1.1.5
tincanphplist1.1.5b
tincanphplist1.1.6
tincanphplist1.1.7
tincanphplist1.3.5
tincanphplist1.3.7
tincanphplist1.4.1
tincanphplist1.5.0
tincanphplist1.5.1
tincanphplist1.6.0
tincanphplist1.6.1
tincanphplist1.6.3
tincanphplist1.6.4
tincanphplist1.7.0
tincanphplist1.7.1
tincanphplist1.8.0
tincanphplist1.9.0
tincanphplist1.9.1
tincanphplist1.9.2
tincanphplist1.9.3
tincanphplist2.1.0
tincanphplist2.1.1
tincanphplist2.1.3
tincanphplist2.1.4
tincanphplist2.2.0
tincanphplist2.2.1
tincanphplist2.3.0
tincanphplist2.3.1
tincanphplist2.3.2
tincanphplist2.3.3
tincanphplist2.3.4
tincanphplist2.4.0
tincanphplist2.4.7
tincanphplist2.5.0
tincanphplist2.5.1
tincanphplist2.5.2
tincanphplist2.5.3
tincanphplist2.5.4
tincanphplist2.5.5
tincanphplist2.5.6
tincanphplist2.5.7
tincanphplist2.5.8
tincanphplist2.6
tincanphplist2.6.0
tincanphplist2.6.1
tincanphplist2.6.2
tincanphplist2.6.3
tincanphplist2.6.4
tincanphplist2.6.5
tincanphplist2.7.1
tincanphplist2.7.2
tincanphplist2.8.2
tincanphplist2.8.7
tincanphplist2.8.12
tincanphplist2.9.3
tincanphplist2.9.4
tincanphplist2.9.5
tincanphplist2.10.1
tincanphplist2.10.2
tincanphplist2.10.3
tincanphplist2.10.4
tincanphplist2.10.5
tincanphplist2.10.6
tincanphplist2.10.7
tincanphplist2.10.8
tincanphplist2.10.9
tincanphplist2.10.10
tincanphplist2.10.11
tincanphplist2.10.12

References

CWEs

CWE-352

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.