Main Vulnerability Database Vulnerabilities #VU1195

PHP code injection in Elysia Cron - #VU1195

Published: November 30, 2016 / Updated: December 5, 2016

Vulnerability identifier: #VU1195

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Drupal

Affected software:
Elysia Cron

Detailed vulnerability description

The vulnerability allows a remote privileged attacker to execute arbitrary PHP code.

The vulnerability exists due to design error, allowing users with role "Administer elysia cron" to inject and execute arbitrary PHP code on the target system.

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary PHP coed on the target system with privileges of the web server.

Remediation

To mitigate the vulnerability grant "Administer elysia cron" role to trusted users only.

Sources

https://www.drupal.org/node/2831900

PHP code injection in Elysia Cron - #VU1195

Detailed vulnerability description

Remediation

Sources

Please verify you're human