CVE-2016-3165

Source
https://cve.org/CVERecord?id=CVE-2016-3165
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-3165.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-3165
Aliases
Published
2016-04-12T15:59:03.057Z
Modified
2026-07-08T05:49:08.203895048Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

Database specific
{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:a:drupal:drupal:6.0:beta1:*:*:*:*:*:*",
                "cpe:2.3:a:drupal:drupal:6.0:beta2:*:*:*:*:*:*",
                "cpe:2.3:a:drupal:drupal:6.0:beta3:*:*:*:*:*:*",
                "cpe:2.3:a:drupal:drupal:6.0:beta4:*:*:*:*:*:*",
                "cpe:2.3:a:drupal:drupal:6.0:rc1:*:*:*:*:*:*",
                "cpe:2.3:a:drupal:drupal:6.0:rc2:*:*:*:*:*:*",
                "cpe:2.3:a:drupal:drupal:6.0:rc3:*:*:*:*:*:*",
                "cpe:2.3:a:drupal:drupal:6.0:rc4:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "6.0-beta1"
                },
                {
                    "last_affected": "6.0-beta1"
                },
                {
                    "introduced": "6.0-beta2"
                },
                {
                    "last_affected": "6.0-beta2"
                },
                {
                    "introduced": "6.0-beta3"
                },
                {
                    "last_affected": "6.0-beta3"
                },
                {
                    "introduced": "6.0-beta4"
                },
                {
                    "last_affected": "6.0-beta4"
                },
                {
                    "introduced": "6.0-rc1"
                },
                {
                    "last_affected": "6.0-rc1"
                },
                {
                    "introduced": "6.0-rc2"
                },
                {
                    "last_affected": "6.0-rc2"
                },
                {
                    "introduced": "6.0-rc3"
                },
                {
                    "last_affected": "6.0-rc3"
                },
                {
                    "introduced": "6.0-rc4"
                },
                {
                    "last_affected": "6.0-rc4"
                }
            ],
            "vendor_product": "drupal:drupal",
            "source": "CPE_STRING"
        }
    ]
}
References

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type
GIT
Repo
https://github.com/drupal/drupal
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.0:dev:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.4:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.5:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.6:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.7:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.8:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.9:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.10:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.11:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.12:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.13:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.14:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.15:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.16:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.17:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.18:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.19:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.20:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.21:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.22:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.23:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.24:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.25:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.26:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.27:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.28:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.29:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.30:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.31:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.32:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.33:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.34:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.35:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.36:*:*:*:*:*:*:*",
        "cpe:2.3:a:drupal:drupal:6.37:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "6.0"
        },
        {
            "last_affected": "6.0"
        },
        {
            "introduced": "6.0-dev"
        },
        {
            "last_affected": "6.0-dev"
        },
        {
            "introduced": "6.1"
        },
        {
            "last_affected": "6.1"
        },
        {
            "introduced": "6.2"
        },
        {
            "last_affected": "6.2"
        },
        {
            "introduced": "6.3"
        },
        {
            "last_affected": "6.3"
        },
        {
            "introduced": "6.4"
        },
        {
            "last_affected": "6.4"
        },
        {
            "introduced": "6.5"
        },
        {
            "last_affected": "6.5"
        },
        {
            "introduced": "6.6"
        },
        {
            "last_affected": "6.6"
        },
        {
            "introduced": "6.7"
        },
        {
            "last_affected": "6.7"
        },
        {
            "introduced": "6.8"
        },
        {
            "last_affected": "6.8"
        },
        {
            "introduced": "6.9"
        },
        {
            "last_affected": "6.9"
        },
        {
            "introduced": "6.10"
        },
        {
            "last_affected": "6.10"
        },
        {
            "introduced": "6.11"
        },
        {
            "last_affected": "6.11"
        },
        {
            "introduced": "6.12"
        },
        {
            "last_affected": "6.12"
        },
        {
            "introduced": "6.13"
        },
        {
            "last_affected": "6.13"
        },
        {
            "introduced": "6.14"
        },
        {
            "last_affected": "6.14"
        },
        {
            "introduced": "6.15"
        },
        {
            "last_affected": "6.15"
        },
        {
            "introduced": "6.16"
        },
        {
            "last_affected": "6.16"
        },
        {
            "introduced": "6.17"
        },
        {
            "last_affected": "6.17"
        },
        {
            "introduced": "6.18"
        },
        {
            "last_affected": "6.18"
        },
        {
            "introduced": "6.19"
        },
        {
            "last_affected": "6.19"
        },
        {
            "introduced": "6.20"
        },
        {
            "last_affected": "6.20"
        },
        {
            "introduced": "6.21"
        },
        {
            "last_affected": "6.21"
        },
        {
            "introduced": "6.22"
        },
        {
            "last_affected": "6.22"
        },
        {
            "introduced": "6.23"
        },
        {
            "last_affected": "6.23"
        },
        {
            "introduced": "6.24"
        },
        {
            "last_affected": "6.24"
        },
        {
            "introduced": "6.25"
        },
        {
            "last_affected": "6.25"
        },
        {
            "introduced": "6.26"
        },
        {
            "last_affected": "6.26"
        },
        {
            "introduced": "6.27"
        },
        {
            "last_affected": "6.27"
        },
        {
            "introduced": "6.28"
        },
        {
            "last_affected": "6.28"
        },
        {
            "introduced": "6.29"
        },
        {
            "last_affected": "6.29"
        },
        {
            "introduced": "6.30"
        },
        {
            "last_affected": "6.30"
        },
        {
            "introduced": "6.31"
        },
        {
            "last_affected": "6.31"
        },
        {
            "introduced": "6.32"
        },
        {
            "last_affected": "6.32"
        },
        {
            "introduced": "6.33"
        },
        {
            "last_affected": "6.33"
        },
        {
            "introduced": "6.34"
        },
        {
            "last_affected": "6.34"
        },
        {
            "introduced": "6.35"
        },
        {
            "last_affected": "6.35"
        },
        {
            "introduced": "6.36"
        },
        {
            "last_affected": "6.36"
        },
        {
            "introduced": "6.37"
        },
        {
            "last_affected": "6.37"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

6.*
6.0
6.1
6.10
6.11
6.12
6.13
6.14
6.15
6.16
6.17
6.18
6.19
6.2
6.20
6.21
6.22
6.23
6.24
6.25
6.26
6.27
6.28
6.29
6.3
6.30
6.31
6.32
6.33
6.34
6.35
6.36
6.37
6.4
6.5
6.6
6.7
6.8
6.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-3165.json"