LISTSERV 17 Reflected Cross Site Scripting (XSS)

CVE Category Price Severity
CVE-2022-39195 CWE-79 Unknown Medium
Author Risk Exploitation Type Date
Unknown High Remote 2023-04-02

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

LISTSERV 17 Reflected Cross Site Scripting (XSS)
# Exploit Title: LISTSERV 17 - Reflected Cross Site Scripting (XSS)
# Google Dork: inurl:/scripts/wa.exe
# Date: 12/01/2022
# Exploit Author: Shaunt Der-Grigorian
# Vendor Homepage:
# Software Link:
# Version: 17
# Tested on: Windows Server 2019
# CVE : CVE-2022-39195

A reflected cross-site scripting (XSS) vulnerability in the LISTSERV 17 web interface allows remote attackers to inject arbitrary JavaScript or HTML via the "c" parameter.

To reproduce, please visit
(or whichever URL you can use for testing instead of localhost).

The "c" parameter will reflect any value given onto the page.

# Solution
This vulnerability can be mitigated by going under "Server Administration" to "Web Templates" and editing the BODY-LCMD-MESSAGE web template. Change &+CMD; to &+HTMLENCODE(&+CMD;); .

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.