What is the severity of CVE-2023-27576?

The severity of CVE-2023-27576 is medium.

What is the affected software version for CVE-2023-27576?

The affected software version for CVE-2023-27576 is phpList 3.6.12.

How can an attacker exploit CVE-2023-27576?

An attacker can exploit CVE-2023-27576 by manipulating and editing data of the system's super admin, allowing an account takeover of the user with super-admin permission.

Is there a fix available for CVE-2023-27576?

Yes, a fix is available. It is recommended to update to a patched version or apply the necessary security updates.

Where can I find more information about CVE-2023-27576?

More information about CVE-2023-27576 can be found at the following link: [https://cupc4k3.lol/cve-2023-27576-hacking-phplist-how-i-gained-super-admin-access-44c7c90d82da](https://cupc4k3.lol/cve-2023-27576-hacking-phplist-how-i-gained-super-admin-access-44c7c90d82da)

Vulnerability/
CVE-2023-27576

medium

6.7

CWE

639

18/8/2023

7/10/2024

CVE-2023-27576

First published: Fri Aug 18 2023(Updated: )

An issue was discovered in phpList 3.6.12. Due to an access error, it was possible to manipulate and edit data of the system's super admin, allowing one to perform an account takeover of the user with super-admin permission. Specifically, for a request with updatepassword=1, a modified request (manipulating both the ID parameter and the associated username) can bypass the intended email confirmation requirement. For example, the attacker can start from an updatepassword=1 request with their own ID number, and change the ID number to 1 (representing the super admin account) and change the username to admin2. In the first step, the attacker changes the super admin's email address to one under the attacker's control. In the second step, the attacker performs a password reset for the super admin account. The new password allows login as the super admin, i.e., a successful account takeover.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
PHPList	=3.6.12

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-27576?
The severity of CVE-2023-27576 is medium.
What is the affected software version for CVE-2023-27576?
The affected software version for CVE-2023-27576 is phpList 3.6.12.
How can an attacker exploit CVE-2023-27576?
An attacker can exploit CVE-2023-27576 by manipulating and editing data of the system's super admin, allowing an account takeover of the user with super-admin permission.
Is there a fix available for CVE-2023-27576?
Yes, a fix is available. It is recommended to update to a patched version or apply the necessary security updates.
Where can I find more information about CVE-2023-27576?
More information about CVE-2023-27576 can be found at the following link: [https://cupc4k3.lol/cve-2023-27576-hacking-phplist-how-i-gained-super-admin-access-44c7c90d82da](https://cupc4k3.lol/cve-2023-27576-hacking-phplist-how-i-gained-super-admin-access-44c7c90d82da)

agent/author
agent/type
agent/event
agent/softwarecombine
agent/first-publish-date
agent/references
agent/severity
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/weakness
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
collector/nvd-index
vendor/phplist
canonical/phplist
version/phplist/3.6.12

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.