Description


The REPORT (after z but before a) parameter in wa.exe in L-Soft LISTSERV 16.5 before 17 allows an attacker to conduct XSS attacks via a crafted URL.

This vulnerability has most recently been tested by L-Soft in LISTSERV 17.5 and is ineffective.

https://nvd.nist.gov/vuln/detail/CVE-2023-27641

Mitigation


If this vulnerability has been reported for your site, the mitigation is to upgrade to LISTSERV 17.0 or later (the version current at 7 Oct 2025, 17.5, is strongly recommended).

There are no fixes available for this vulnerability for LISTSERV 16.5 or earlier.