CVE-2016-3168

MEDIUM

Drupal < 6.38 - Security Feature Bypass

Title source: rule

Description

The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."

References (4)

[Patch, Vendor Advisory] https://www.drupal.org/SA-CORE-2016-001

[Third Party Advisory] http://www.debian.org/security/2016/dsa-3498

[Mailing List] http://www.openwall.com/lists/oss-security/2016/02/24/19

[Mailing List] http://www.openwall.com/lists/oss-security/2016/03/15/10

Scores

CVSS v3 6.4

EPSS 0.0053

EPSS Percentile 67.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-254

Status draft

Affected Products (50)

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

... and 35 more

Timeline

Published Apr 12, 2016

Tracked Since Feb 18, 2026