CVE-2012-5537

Simplenews Scheduler module <6.x-2.4 - Authenticated Code Injection

Title source: llm
STIX 2.1

Description

The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron.

References (3)

Core 3
Core References
Patch, Vendor Advisory x_refsource_misc
http://drupal.org/node/1789284
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/11/20/4
Patch x_refsource_confirm
http://drupal.org/node/1789274

Scores

EPSS 0.0106
EPSS Percentile 60.2%

Details

CWE
CWE-94
Status published
Products (5)
simplenews_scheduler_project/simplenews_scheduler 6.x-2.0 (4 CPE variants)
simplenews_scheduler_project/simplenews_scheduler 6.x-2.1
simplenews_scheduler_project/simplenews_scheduler 6.x-2.2
simplenews_scheduler_project/simplenews_scheduler 6.x-2.3
simplenews_scheduler_project/simplenews_scheduler 6.x-2.x dev
Published Dec 03, 2012
Tracked Since Feb 18, 2026