vulnerability

Drupal: CVE-2016-3165 : Form API ignores access restrictions on submit buttons - SA-CORE-2016-001

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:N/I:P/A:N)	2016-04-12	2017-08-02	2025-04-14

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Published

2016-04-12

Added

2017-08-02

Modified

2025-04-14

Description

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

Solution

drupal-cve-2016-3165

References

CVE-2016-3165
https://attackerkb.com/topics/CVE-2016-3165
URL-https://www.drupal.org/SA-CORE-2016-001

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today