Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-5537

Overview

Vulnerability Score 6.0 6.0
CVE Id CVE-2012-5537
Last Modified 04 Dec 2012 12:00:00
Published 03 Dec 2012 04:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication SINGLE_INSTANCE

CVE-2012-5537

Summary

The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron.

Vulnerable Systems

Application

  • Simplenews Scheduler Project Simplenews Scheduler 6.x-2.0

  • Simplenews Scheduler Project Simplenews Scheduler 6.x-2.1

  • Simplenews Scheduler Project Simplenews Scheduler 6.x-2.2

  • Simplenews Scheduler Project Simplenews Scheduler 6.x-2.3

  • Simplenews Scheduler Project Simplenews Scheduler 6.x-2.x


References

MLIST - [oss-security] 20121120 Re: CVE Request for Drupal Contributed Modules

MISC - http://drupal.org/node/1789284

CONFIRM - http://drupal.org/node/1789274


Last Updated: 27 May 2016 11:01:26