First published: Mon Dec 03 2012(Updated: )
The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Simplenews Scheduler Project Simplenews Scheduler | =6.x-2.0 | |
Simplenews Scheduler Project Simplenews Scheduler | =6.x-2.0-beta2 | |
Simplenews Scheduler Project Simplenews Scheduler | =6.x-2.0-beta3 | |
Simplenews Scheduler Project Simplenews Scheduler | =6.x-2.0-beta4 | |
Simplenews Scheduler Project Simplenews Scheduler | =6.x-2.1 | |
Simplenews Scheduler Project Simplenews Scheduler | =6.x-2.2 | |
Simplenews Scheduler Project Simplenews Scheduler | =6.x-2.3 | |
Simplenews Scheduler Project Simplenews Scheduler | =6.x-2.x-dev | |
Drupal Drupal |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.