CVE-2016-3168

MEDIUM

Drupal 6.x < 6.38 and 7.x < 7.43 - Reflected File Download via JSON Content

Title source: llm

Description

The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."

References (4)

Core 4

Core References

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/02/24/19

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/03/15/10

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3498

Patch, Vendor Advisory x_refsource_confirm

https://www.drupal.org/SA-CORE-2016-001

Scores

CVSS v3 6.4

EPSS 0.0053

EPSS Percentile 67.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-254

Status published

Products (41)

debian/debian_linux 7.0

debian/debian_linux 8.0

drupal/core 6.0 - 6.38Packagist

drupal/drupal 6.0 (10 CPE variants)

drupal/drupal 6.1

drupal/drupal 6.2

drupal/drupal 6.3

drupal/drupal 6.4

drupal/drupal 6.5

drupal/drupal 6.6

... and 31 more

Published Apr 12, 2016

Tracked Since Feb 18, 2026