CVE-2016-3171

HIGH

Drupal 6.x < 6.38 - Remote Code Execution via Session Data Truncation

Title source: llm

Description

Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.

References (4)

Core 4

Core References

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/02/24/19

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/03/15/10

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3498

Patch, Vendor Advisory x_refsource_confirm

https://www.drupal.org/SA-CORE-2016-001

Scores

CVSS v3 8.1

EPSS 0.0822

EPSS Percentile 92.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-19

Status published

Products (41)

debian/debian_linux 7.0

debian/debian_linux 8.0

drupal/core 6.0 - 6.38Packagist

drupal/drupal 6.0 (10 CPE variants)

drupal/drupal 6.1

drupal/drupal 6.2

drupal/drupal 6.3

drupal/drupal 6.4

drupal/drupal 6.5

drupal/drupal 6.6

... and 31 more

Published Apr 12, 2016

Tracked Since Feb 18, 2026