phpList 3.5.5
14 July 2020
phpList version 3.5.5 is now available (security release).
Upgrading to phpList 3.5.5
phpList 3.5.5 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply phpList updates as new versions are released, or use Installatron's Clone feature to duplicate an existing phpList install to test the 3.5.5 upgrade prior to applying it live. Get started managing your phpList installations with Installatron
What's New in phpList 3.5.5
Security
- Error-based SQL Injection vulnerability existed via the Import Administrators Section
- Fixed Code Injection via “Import administrators”
- Cross Site Scripting Vulnerability on “Send a campaign” page: The “Send a web page” URL value has now been encoded and the emails set to receive the notifications are verified.
- Cross Site Scripting Vulnerability on “Manage administrators” – the email address of an admin has now been sanitized
- Cross Site Scripting Vulnerability on “Bounce rules” – unnecessary JS action has now been removed
- Cross Site Scripting Vulnerability on “Name of the organisation” option of “Settings” page – the use of tags has now been restricted and JS disallowed
- Cross Site Scripting Vulnerability on “Import subscribers” via SVG upload – tags in CSV import headers have now been ignored
- Implement XSS filter /lists/admin/spageedit.php and /lists/admin/editlist.php
Changes
- Avoided warnings about $pageroot when phplist is installed in the web root, and improved warning message to include values that don’t match
- Removed redundant code following changes included in phpList 3.5.4
- Added SameSite to the browsetrail cookie to handle warnings in Firefox – The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context
- Avoid listing “All lists” and “All public lists” among available option when “List Exclude” is used
Bug Fixes
- Fixed “Save Changes” on the “Lists” page, now allowing updates in lists’ status (Public vs Private) and order in bulk
- Correct description on “CLICKTRACK” value in config_extended.php