phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23361
Reference (s):
- https://github.com/phpList/phplist3/issues/668