CVE-2012-5537

The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:S/C:P/I:P/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 65%
VendorProductVersion
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.0:x
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.0:x
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.0:x
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.0:x
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.1:x
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.2:x
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.3:x
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.x:x
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://drupal.org/node/1789274
http://drupal.org/node/1789284
http://www.openwall.com/lists/oss-security/2012/11/20/4
http://drupal.org/node/1789274
http://drupal.org/node/1789284
http://www.openwall.com/lists/oss-security/2012/11/20/4