CVE-2012-5537

EUVD-2012-5429
The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:S/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
Affected Products (NVD)
VendorProductVersion
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.0:x
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.0:x
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.0:x
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.0:x
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.1:x
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.2:x
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.3:x
simplenews_scheduler_projectsimplenews_scheduler
6.x-2.x:x
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://drupal.org/node/1789274
http://drupal.org/node/1789284
http://www.openwall.com/lists/oss-security/2012/11/20/4
http://drupal.org/node/1789274
http://drupal.org/node/1789284
http://www.openwall.com/lists/oss-security/2012/11/20/4