CVE-2016-3165

HIGH

Drupal 6.x < 6.38 - Improper Access Control via Form API Submit Button

Title source: llm

Description

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

References (4)

Core 4

Core References

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/02/24/19

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/03/15/10

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3498

Patch, Vendor Advisory x_refsource_confirm

https://www.drupal.org/SA-CORE-2016-001

Scores

CVSS v3 7.5

EPSS 0.0061

EPSS Percentile 69.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-284

Status published

Products (40)

drupal/core 6.0 - 6.38Packagist

drupal/drupal 6.0 (10 CPE variants)

drupal/drupal 6.1

drupal/drupal 6.2

drupal/drupal 6.3

drupal/drupal 6.4

drupal/drupal 6.5

drupal/drupal 6.6

drupal/drupal 6.7

drupal/drupal 6.8

... and 30 more

Published Apr 12, 2016

Tracked Since Feb 18, 2026