Home > Vulnerability Database > CVE-2016-3165

Mend.io Vulnerability Database

CVE-2016-3165

Good to know:

Date: April 12, 2016

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

Language: PHP

Severity Score

7.5

Related Resources (6)

Url: http://www.openwall.com/lists/oss-security/2016/03/15/10

Url: http://www.openwall.com/lists/oss-security/2016/02/24/19

Url: https://nvd.nist.gov/vuln/detail/CVE-2016-3165

Url: https://www.drupal.org/SA-CORE-2016-001

Url: http://www.debian.org/security/2016/dsa-3498

Url: https://www.mend.io/vulnerability-database/CVE-2016-3165

Severity Score

7.5

Weakness Type (CWE)

Improper Access Control

CWE-284

Top Fix

Upgrade Version

Upgrade to version 6.38,7.43,8.0.4

Learn More

CVSS v3

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2016-3165

Good to know:

Date: April 12, 2016

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3

CVSS v2

Do you need more information?