Access Restriction Bypass in Drupal 6.x Form API

Access Restriction Bypass in Drupal 6.x Form API

CVE-2016-3165 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:P/A:N

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

Learn more about our Cis Benchmark Audit For Server Software.