cvedb.io
CVE-2016-3165
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2016-04-12T15:59:03.057 · Last modified 2026-06-17T00:45:13.227

Summary

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

Affected products

drupal — drupal

Does this affect you?

Add your gear to cvedb and we'll alert you only when drupal ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.