CVE-2016-3171
published 2016-04-12CVE-2016-3171: Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code…
PriorityP348high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EPSS
3.19%
86.5th percentile
Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.
Affected
42 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| drupal | core | >= 6.0 < 6.38 | 6.38 |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Drupal arbitrary code execution
osv·2022-05-17
CVE-2016-3171 [HIGH] Drupal arbitrary code execution
Drupal arbitrary code execution
Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.
GHSA
Drupal arbitrary code execution
ghsa·2022-05-17
CVE-2016-3171 [HIGH] CWE-94 Drupal arbitrary code execution
Drupal arbitrary code execution
Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.
No detection rules found.
No public exploits indexed.
http://www.debian.org/security/2016/dsa-3498http://www.openwall.com/lists/oss-security/2016/02/24/19http://www.openwall.com/lists/oss-security/2016/03/15/10https://www.drupal.org/SA-CORE-2016-001http://www.debian.org/security/2016/dsa-3498http://www.openwall.com/lists/oss-security/2016/02/24/19http://www.openwall.com/lists/oss-security/2016/03/15/10https://www.drupal.org/SA-CORE-2016-001
2016-04-12
Published