{"dataType":"CVE_RECORD","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2025-28074","assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","dateUpdated":"2025-06-07T14:42:05.947Z","dateReserved":"2025-03-11T00:00:00.000Z","datePublished":"2025-05-08T00:00:00.000Z"},"containers":{"cna":{"providerMetadata":{"orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre","dateUpdated":"2025-06-07T14:42:05.947Z"},"descriptions":[{"lang":"en","value":"phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript."}],"affected":[{"vendor":"n/a","product":"n/a","versions":[{"version":"n/a","status":"affected"}]}],"references":[{"url":"https://github.com/phpList/phplist3/blob/main/public_html/lists/lt.php"},{"url":"https://github.com/mLniumm/CVE-2025-28074"},{"url":"https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15"},{"url":"https://www.phplist.org/newslist/phplist-3-6-15-release-notes/"}],"problemTypes":[{"descriptions":[{"type":"text","lang":"en","description":"n/a"}]}]},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-79","lang":"en","description":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}],"metrics":[{"cvssV3_1":{"scope":"CHANGED","version":"3.1","baseScore":6.1,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","integrityImpact":"LOW","userInteraction":"REQUIRED","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"NONE","confidentialityImpact":"LOW"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-05-12T21:49:07.126779Z","id":"CVE-2025-28074","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-05-12T22:05:56.427Z"}}]},"dataVersion":"5.1"}