CVE-2016-3171

Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.

Published: Apr 12, 2016
Updated: Nov 9, 2025
CVE: CVE-2016-3171
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-19

Affected Software
References

Software	From	Fixed in
drupal / drupal	6.0-rc2	6.0-rc2.x
drupal / drupal	6.0-beta2	6.0-beta2.x
drupal / drupal	6.0-dev	6.0-dev.x
drupal / drupal	6.0-beta4	6.0-beta4.x
drupal / drupal	6.0-rc3	6.0-rc3.x
drupal / drupal	6.0-rc4	6.0-rc4.x
drupal / drupal	6.0-beta1	6.0-beta1.x
drupal / drupal	6.0	6.0.x
drupal / drupal	6.0-beta3	6.0-beta3.x
drupal / drupal	6.0-rc1	6.0-rc1.x
drupal / drupal	6.1	6.1.x
drupal / drupal	6.2	6.2.x
drupal / drupal	6.3	6.3.x
drupal / drupal	6.4	6.4.x
drupal / drupal	6.5	6.5.x
drupal / drupal	6.6	6.6.x
drupal / drupal	6.7	6.7.x
drupal / drupal	6.8	6.8.x
drupal / drupal	6.9	6.9.x
drupal / drupal	6.10	6.10.x
drupal / drupal	6.11	6.11.x
drupal / drupal	6.12	6.12.x
drupal / drupal	6.13	6.13.x
drupal / drupal	6.14	6.14.x
drupal / drupal	6.15	6.15.x
drupal / drupal	6.16	6.16.x
drupal / drupal	6.17	6.17.x
drupal / drupal	6.18	6.18.x
drupal / drupal	6.19	6.19.x
drupal / drupal	6.20	6.20.x
drupal / drupal	6.21	6.21.x
drupal / drupal	6.22	6.22.x
drupal / drupal	6.23	6.23.x
drupal / drupal	6.24	6.24.x
drupal / drupal	6.25	6.25.x
drupal / drupal	6.26	6.26.x
drupal / drupal	6.27	6.27.x
drupal / drupal	6.28	6.28.x
drupal / drupal	6.29	6.29.x
drupal / drupal	6.30	6.30.x
drupal / drupal	6.31	6.31.x
drupal / drupal	6.32	6.32.x
drupal / drupal	6.33	6.33.x
drupal / drupal	6.34	6.34.x
drupal / drupal	6.35	6.35.x
drupal / drupal	6.36	6.36.x
drupal / drupal	6.37	6.37.x
debian / debian_linux	8.0	8.0.x
debian / debian_linux	7.0	7.0.x

Vulnerability Database

314,343

CVE-2016-3171

Deep Security Visibility Without the Complexity