Launchpad.net

CVE 2020-13827

phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.

See the CVE page on Mitre.org for more details.