CVE-2016-3165

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

Published: Apr 12, 2016
Updated: Apr 13, 2023
CVE: CVE-2016-3165
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
drupal / drupal	6.0-beta2	6.0-beta2.x
drupal / drupal	6.33	6.33.x
drupal / drupal	6.0-rc2	6.0-rc2.x
drupal / drupal	6.2	6.2.x
drupal / drupal	6.14	6.14.x
drupal / drupal	6.24	6.24.x
drupal / drupal	6.13	6.13.x
drupal / drupal	6.0-dev	6.0-dev.x
drupal / drupal	6.25	6.25.x
drupal / drupal	6.18	6.18.x
drupal / drupal	6.0-beta4	6.0-beta4.x
drupal / drupal	6.12	6.12.x
drupal / drupal	6.32	6.32.x
drupal / drupal	6.0-rc3	6.0-rc3.x
drupal / drupal	6.0-rc4	6.0-rc4.x
drupal / drupal	6.4	6.4.x
drupal / drupal	6.11	6.11.x
drupal / drupal	6.0-beta1	6.0-beta1.x
drupal / drupal	6.36	6.36.x
drupal / drupal	6.35	6.35.x
drupal / drupal	6.26	6.26.x
drupal / drupal	6.30	6.30.x
drupal / drupal	6.7	6.7.x
drupal / drupal	6.22	6.22.x
drupal / drupal	6.8	6.8.x
drupal / drupal	6.27	6.27.x
drupal / drupal	6.19	6.19.x
drupal / drupal	6.1	6.1.x
drupal / drupal	6.28	6.28.x
drupal / drupal	6.21	6.21.x
drupal / drupal	6.17	6.17.x
drupal / drupal	6.5	6.5.x
drupal / drupal	6.31	6.31.x
drupal / drupal	6.10	6.10.x
drupal / drupal	6.23	6.23.x
drupal / drupal	6.6	6.6.x
drupal / drupal	6.0	6.0.x
drupal / drupal	6.15	6.15.x
drupal / drupal	6.0-beta3	6.0-beta3.x
drupal / drupal	6.16	6.16.x
drupal / drupal	6.34	6.34.x
drupal / drupal	6.3	6.3.x
drupal / drupal	6.0-rc1	6.0-rc1.x
drupal / drupal	6.29	6.29.x
drupal / drupal	6.37	6.37.x
drupal / drupal	6.20	6.20.x
drupal / drupal	6.9	6.9.x

Vulnerability Database

290,206

CVE-2016-3165