The web interface for subscribing new users in Lyris ListManager 5.0 up to and including 8.8b, in combination with a line wrap feature, allows remote malicious users to execute arbitrary list administration commands via LFCR (%0A%0D) sequences in the pw parameter. NOTE: it is not clear whether this is a variant of a CRLF injection vulnerability.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
lyris technologies inc listmanager 7.0 |
||
lyris technologies inc listmanager 8.0 |
||
lyris technologies inc listmanager 8.8a |
||
lyris technologies inc listmanager 5.0 |
||
lyris technologies inc listmanager 6.0 |