CVE-2016-3165 — Drupal Form API ignores access restrictions on submit buttons

Description

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

How to fix CVE-2016-3165

To remediate CVE-2016-3165, upgrade the affected package to a fixed version below.

—upgrade to 6.38 or later
—upgrade to 6.38 or later

Is CVE-2016-3165 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 6.0, < 6.38
>= 6.0, < 6.38

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-3165
PATCHgithub.com/drupal/core
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-3165.yaml
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-3165.yaml