CVE-2016-3171 – drupal/drupal

Package

Manager: composer
Name: drupal/drupal
Vulnerable Version: >=6.0 <6.38

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.07448 pctl0.9139

Details

Drupal arbitrary code execution Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.

Metadata

Created: 2022-05-17T03:55:47Z
Modified: 2024-04-23T22:18:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-69g8-g9jq-74v7/GHSA-69g8-g9jq-74v7.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-69g8-g9jq-74v7
Finding: F422
Auto approve: 1