CVE-2016-3165

CWE-284Improper Access Control5 documents5 sources
Severity
7.5HIGH
EPSS
0.6%
top 30.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Drupal CoreDrupal Drupal
Timeline
PublishedApr 12
Latest updateMay 17

Description

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Packagistdrupal/core6.06.38
Packagistdrupal/drupal6.06.38
NVDdrupal/drupal38 versions+37

Patches

Patch: www.drupal.orgPatch: www.drupal.org

🔴Vulnerability Details

3
GHSA
Drupal Form API ignores access restrictions on submit buttons2022-05-17
OSV
Drupal Form API ignores access restrictions on submit buttons2022-05-17
CVEList
CVE-2016-3165: The Form API in Drupal 62016-04-12

💬Community

1
Bugzilla
CVE-2016-3162 CVE-2016-3163 CVE-2016-3164 CVE-2016-3165 CVE-2016-3166 CVE-2016-3167 CVE-2016-3168 CVE-2016-3169 CVE-2016-3170 CVE-2016-3171 drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-2016-02-26
CVE-2016-3165 (HIGH CVSS 7.5) | The Form API in Drupal 6.x before 6 | cvebase.io