← Back

CVE-2012-5537

nvd nist
Published: Dec 3, 2012Modified: Apr 29, 2026

JSON object

Loading...
6.0
Vector
AV:N/AC:M/Au:S/C:P/I:P/A:P
Exploitability: 6.8 / Impact: 6.4
Source: NVD

Description

The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron.

Affected (8)

Simplenews Scheduler Project
1 product
Simplenews Scheduler
Configuration A
8 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Simplenews Scheduler
Version 6.x-2.0
Simplenews Scheduler
Version 6.x-2.0 beta2
Simplenews Scheduler
Version 6.x-2.0 beta3
Simplenews Scheduler
Version 6.x-2.0 beta4
Simplenews Scheduler
Version 6.x-2.1
Simplenews Scheduler
Version 6.x-2.2
Simplenews Scheduler
Version 6.x-2.3
Simplenews Scheduler
Version 6.x-2.x dev
Running on/withPlatform Versions
Drupal
Drupal
All versions

Related CWEs

CWE-94
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (6)

Source: secalert@redhat.com
Patch
Source: secalert@redhat.com
PatchVendor Advisory
Source: secalert@redhat.com
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.