CVE-2012-5537
Simplenews Scheduler module <6.x-2.4 - Authenticated Code Injection
Title source: llmDescription
The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_misc
http://drupal.org/node/1789284
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/11/20/4
Patch x_refsource_confirm
http://drupal.org/node/1789274
Scores
EPSS
0.0106
EPSS Percentile
60.2%
Details
CWE
CWE-94
Status
published
Products (5)
simplenews_scheduler_project/simplenews_scheduler
6.x-2.0 (4 CPE variants)
simplenews_scheduler_project/simplenews_scheduler
6.x-2.1
simplenews_scheduler_project/simplenews_scheduler
6.x-2.2
simplenews_scheduler_project/simplenews_scheduler
6.x-2.3
simplenews_scheduler_project/simplenews_scheduler
6.x-2.x dev
Published
Dec 03, 2012
Tracked Since
Feb 18, 2026