CVE-2016-3168

CWE-2546 documents5 sources
Severity
6.4MEDIUM
EPSS
0.5%
top 32.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Drupal CoreDrupal DrupalDebian Debian Linux
Timeline
PublishedApr 12
Latest updateMay 17

Description

The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:HExploitability: 0.5 | Impact: 5.9

Affected Packages3 packages

Packagistdrupal/core6.06.38+1
Packagistdrupal/drupal7.07.43+1
NVDdrupal/drupal81 versions+80

Also affects: Debian Linux 7.0, 8.0

Patches

Patch: www.drupal.orgPatch: www.drupal.org

🔴Vulnerability Details

4
GHSA
Drupal Reflected file download vulnerability2022-05-17
OSV
Drupal Reflected file download vulnerability2022-05-17
OSV
CVE-2016-3168: The System module in Drupal 62016-04-12
CVEList
CVE-2016-3168: The System module in Drupal 62016-04-12

💬Community

1
Bugzilla
CVE-2016-3162 CVE-2016-3163 CVE-2016-3164 CVE-2016-3165 CVE-2016-3166 CVE-2016-3167 CVE-2016-3168 CVE-2016-3169 CVE-2016-3170 CVE-2016-3171 drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-2016-02-26
CVE-2016-3168 (MEDIUM CVSS 6.4) | The System module in Drupal 6.x bef | cvebase.io