Published: 12/04/2016 Updated: 13/04/2016

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

The Form API in Drupal 6.x prior to 6.38 ignores access restrictions on submit buttons, which might allow remote malicious users to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

Vulnerable Product	Search on Vulmon	Subscribe to Product
drupal drupal 6.37
drupal drupal 6.9
drupal drupal 6.29
drupal drupal 6.28
drupal drupal 6.27
drupal drupal 6.26
drupal drupal 6.14
drupal drupal 6.13
drupal drupal 6.12
drupal drupal 6.11
drupal drupal 6.4
drupal drupal 6.7
drupal drupal 6.5
drupal drupal 6.33
drupal drupal 6.31
drupal drupal 6.3
drupal drupal 6.25
drupal drupal 6.23
drupal drupal 6.17
drupal drupal 6.15
drupal drupal 6.10
drupal drupal 6.0
drupal drupal 6.36
drupal drupal 6.35
drupal drupal 6.34
drupal drupal 6.21
drupal drupal 6.20
drupal drupal 6.2
drupal drupal 6.19
drupal drupal 6.8
drupal drupal 6.6
drupal drupal 6.32
drupal drupal 6.30
drupal drupal 6.24
drupal drupal 6.22
drupal drupal 6.18
drupal drupal 6.16
drupal drupal 6.1

CWE-284 http://www.openwall.com/lists/oss-security/2016/02/24/19 http://www.debian.org/security/2016/dsa-3498 https://www.drupal.org/SA-CORE-2016-001 http://www.openwall.com/lists/oss-security/2016/03/15/10 https://nvd.nist.gov

CVE-2016-3165

Vulnerability Summary

Vulnerability Trend

References

Vulmon Search

About

Products

Connect