CVE-2016-3165

7.5HIGH

Key Information

Vendor: Drupal
Status: Drupal
Vendor: CVE Published:; 12 April 2016

Summary

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

Refferences

http://www.openwall.com/lists/oss-security/2016/02/24/19

mailing-listx_refsource_MLIST

http://www.openwall.com/lists/oss-security/2016/03/15/10

mailing-listx_refsource_MLIST

http://www.debian.org/security/2016/dsa-3498

vendor-advisoryx_refsource_DEBIAN

https://www.drupal.org/SA-CORE-2016-001

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 12, 2016
Vulnerability Reserved
Mar 15, 2016

Collectors

NVD DatabaseMitre Database

.