CVE-2016-3168

6.4MEDIUM

Key Information

Vendor: Drupal
Status: Drupal
Vendor: CVE Published:; 12 April 2016

Summary

The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."

Refferences

http://www.openwall.com/lists/oss-security/2016/02/24/19

mailing-listx_refsource_MLIST

http://www.openwall.com/lists/oss-security/2016/03/15/10

mailing-listx_refsource_MLIST

http://www.debian.org/security/2016/dsa-3498

vendor-advisoryx_refsource_DEBIAN

https://www.drupal.org/SA-CORE-2016-001

x_refsource_CONFIRM

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 12, 2016
Vulnerability Reserved
Mar 15, 2016

Collectors

NVD DatabaseMitre Database

.