Description

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

Remediation

References

CVE-2016-3165

Related Vulnerabilities

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2010-2229)

WordPress Plugin WordPress Firewall 2 Multiple Vulnerabilities (1.3)

Oracle Database Server CVE-2009-1015 Vulnerability (CVE-2009-1015)

Moodle Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2014-3541)

WordPress Plugin Share Buttons by AddThis Cross-Site Scripting (4.0.7)

Severity

High

Classification

CVE-2016-3165 CWE-284 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities