Home > Vulnerability Database > CVE-2016-3165

Mend.io Vulnerability Database

CVE-2016-3165

Date: April 12, 2016

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

Language: PHP

Severity Score

7.5

Related Resources (9)

Url: https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-3165.yaml

Url: http://www.openwall.com/lists/oss-security/2016/03/15/10

Url: https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-3165.yaml

Url: http://www.openwall.com/lists/oss-security/2016/02/24/19

Url: https://nvd.nist.gov/vuln/detail/CVE-2016-3165

Url: https://www.drupal.org/SA-CORE-2016-001

Url: http://www.debian.org/security/2016/dsa-3498

Url: https://github.com/drupal/core

Url: https://www.mend.io/vulnerability-database/CVE-2016-3165

Severity Score

7.5

Weakness Type (CWE)

Improper Access Control

CWE-284

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2016-3165

Date: April 12, 2016

Language: PHP

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?