Description

phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.

Remediation

References

CVE-2020-23361

Related Vulnerabilities

Cherokee Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2011-2191)

WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark SQL Injection (2.9.3)

WordPress Plugin LifterLMS-WP LMS for eLearning, Online Courses, & Quizzes SQL Injection (7.6.2)

MediaWiki Incorrect Permission Assignment for Critical Resource Vulnerability (CVE-2021-30152)

Joomla Generation of Error Message Containing Sensitive Information Vulnerability (CVE-2022-23794)

Severity

Critical

Classification

CVE-2020-23361 CWE-697 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities