CVE-2016-3169 – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=6.0 <6.38 || >=7.0 <7.43

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00911 pctl0.74947

Details

Drupal saving user accounts can sometimes grant the user all roles The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.

Metadata

Created: 2022-05-17T03:57:19Z
Modified: 2024-04-23T17:19:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q3p9-8728-wq7x/GHSA-q3p9-8728-wq7x.json
CWE IDs: ["CWE-269"]
Alternative ID: GHSA-q3p9-8728-wq7x
Finding: F159
Auto approve: 1