The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2016-04-12T15:00:00
Updated: 2024-08-05T23:47:57.390Z
Reserved: 2016-03-15T00:00:00
Link: CVE-2016-3165
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2016-04-12T15:59:03.057
Modified: 2016-04-13T00:51:24.077
Link: CVE-2016-3165
Redhat
No data.