The Form API in Drupal 6.x prior to 6.38 ignores access restrictions on submit buttons, which might allow remote malicious users to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
drupal drupal 6.37 |
||
drupal drupal 6.9 |
||
drupal drupal 6.29 |
||
drupal drupal 6.28 |
||
drupal drupal 6.27 |
||
drupal drupal 6.26 |
||
drupal drupal 6.14 |
||
drupal drupal 6.13 |
||
drupal drupal 6.12 |
||
drupal drupal 6.11 |
||
drupal drupal 6.4 |
||
drupal drupal 6.7 |
||
drupal drupal 6.5 |
||
drupal drupal 6.33 |
||
drupal drupal 6.31 |
||
drupal drupal 6.3 |
||
drupal drupal 6.25 |
||
drupal drupal 6.23 |
||
drupal drupal 6.17 |
||
drupal drupal 6.15 |
||
drupal drupal 6.10 |
||
drupal drupal 6.0 |
||
drupal drupal 6.36 |
||
drupal drupal 6.35 |
||
drupal drupal 6.34 |
||
drupal drupal 6.21 |
||
drupal drupal 6.20 |
||
drupal drupal 6.2 |
||
drupal drupal 6.19 |
||
drupal drupal 6.8 |
||
drupal drupal 6.6 |
||
drupal drupal 6.32 |
||
drupal drupal 6.30 |
||
drupal drupal 6.24 |
||
drupal drupal 6.22 |
||
drupal drupal 6.18 |
||
drupal drupal 6.16 |
||
drupal drupal 6.1 |