CVE-2016-3169

CWE-264CWE-269Improper Privilege Management7 documents5 sources
Severity
8.1HIGH
EPSS
1.0%
top 22.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Drupal CoreDrupal DrupalDebian Debian Linux
Timeline
PublishedApr 12
Latest updateMay 17

Description

The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

Packagistdrupal/core6.06.38+1
Packagistdrupal/drupal7.07.43+1
NVDdrupal/drupal81 versions+80

Also affects: Debian Linux 7.0, 8.0

Patches

Patch: www.drupal.orgPatch: www.drupal.org

🔴Vulnerability Details

5
OSV
Drupal saving user accounts can sometimes grant the user all roles2022-05-17
GHSA
Drupal saving user accounts can sometimes grant the user all roles2022-05-17
OSV
linux-lts-xenial vulnerabilities2017-01-11
CVEList
CVE-2016-3169: The User module in Drupal 62016-04-12
OSV
CVE-2016-3169: The User module in Drupal 62016-04-12

💬Community

1
Bugzilla
CVE-2016-3162 CVE-2016-3163 CVE-2016-3164 CVE-2016-3165 CVE-2016-3166 CVE-2016-3167 CVE-2016-3168 CVE-2016-3169 CVE-2016-3170 CVE-2016-3171 drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-2016-02-26
CVE-2016-3169 (HIGH CVSS 8.1) | The User module in Drupal 6.x befor | cvebase.io