phpList Cross-Site Scripting Vulnerability in lt.php

A Cross-Site Scripting (XSS) vulnerability has been identified in phpList versions prior to 3.6.3. The issue arises from improper input sanitization in the lt.php file, allowing attackers to inject malicious JavaScript. This vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without proper escaping.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting (XSS) attacks, where an attacker can inject and execute malicious JavaScript in the context of the user's browser. This could lead to credential theft, session hijacking, or other malicious actions within the victim's browser.

Reproduction

To reproduce this vulnerability, an attacker can craft a payload that exploits the application's internal path referencing. By injecting untrusted input through a parameter that lt.php processes without proper sanitization, the attacker can execute JavaScript in the user's browser.