Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

L-Soft LISTSERV 16.5 Reflected Cross-Site Scripting

The REPORT parameter used by the wa.exe component of LISTSERV 16.5 is vulnerable to reflected Cross-Site Scripting due to improper sanitization of user input. By closing the HTML tag after the z parameter (as shown below), JavaScript can be injected into the URL before the a parameter. note versions prior to 16.5 may also be affected but have not been tested.

POC