Main Vulnerability Database Vulnerabilities #VU1195

#VU1195 PHP code injection in Elysia Cron

Published: November 30, 2016 / Updated: December 5, 2016

Vulnerability identifier: #VU1195

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Elysia Cron

Software vendor:
Drupal

Description

The vulnerability allows a remote privileged attacker to execute arbitrary PHP code.

The vulnerability exists due to design error, allowing users with role "Administer elysia cron" to inject and execute arbitrary PHP code on the target system.

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary PHP coed on the target system with privileges of the web server.

Remediation

To mitigate the vulnerability grant "Administer elysia cron" role to trusted users only.

External links

https://www.drupal.org/node/2831900