CVE-2016-3165 – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=6.0 <6.38

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0062 pctl0.69098

Details

Drupal Form API ignores access restrictions on submit buttons The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

Metadata

Created: 2022-05-17T03:57:19Z
Modified: 2024-04-23T22:28:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4gh5-3hqj-x3pj/GHSA-4gh5-3hqj-x3pj.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-4gh5-3hqj-x3pj
Finding: F039
Auto approve: 1