CVE-2016-3171

CWE-19 CWE-94 — Code Injection5 documents5 sources

Severity

8.1HIGH

EPSS

8.2%

top 7.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Core Drupal Drupal Debian Debian Linux

Timeline

PublishedApr 12

Latest updateMay 17

Description

Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶Packagistdrupal/core6.0 — 6.38

▶Packagistdrupal/drupal6.0 — 6.38

▶NVDdrupal/drupal38 versions+37

Also affects: Debian Linux 7.0, 8.0

Patches

Patch: www.drupal.org ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

OSV

Drupal arbitrary code execution↗2022-05-17

▶

GHSA

Drupal arbitrary code execution↗2022-05-17

▶

CVEList

CVE-2016-3171: Drupal 6↗2016-04-12

▶

💬Community

Bugzilla

CVE-2016-3162 CVE-2016-3163 CVE-2016-3164 CVE-2016-3165 CVE-2016-3166 CVE-2016-3167 CVE-2016-3168 CVE-2016-3169 CVE-2016-3170 CVE-2016-3171 drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-↗2016-02-26

▶