CVE-2016-3166

CWE-1135 documents5 sources
Severity
5.9MEDIUM
EPSS
0.5%
top 34.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Drupal CoreDrupal DrupalDebian Debian Linux
Timeline
PublishedApr 12
Latest updateMay 17

Description

CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

Packagistdrupal/core6.06.38
Packagistdrupal/drupal6.06.38
NVDdrupal/drupal38 versions+37

Also affects: Debian Linux 7.0, 8.0

Patches

Patch: www.drupal.orgPatch: www.drupal.org

🔴Vulnerability Details

3
GHSA
Drupal CRLF injection vulnerability in the drupal_set_header function2022-05-17
OSV
Drupal CRLF injection vulnerability in the drupal_set_header function2022-05-17
CVEList
CVE-2016-3166: CRLF injection vulnerability in the drupal_set_header function in Drupal 62016-04-12

💬Community

1
Bugzilla
CVE-2016-3162 CVE-2016-3163 CVE-2016-3164 CVE-2016-3165 CVE-2016-3166 CVE-2016-3167 CVE-2016-3168 CVE-2016-3169 CVE-2016-3170 CVE-2016-3171 drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-2016-02-26
CVE-2016-3166 (MEDIUM CVSS 5.9) | CRLF injection vulnerability in the | cvebase.io