CVE-2016-3165: Improper Access Control

April 12, 2016 (updated April 13, 2016)

The Form API in Drupal ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has #access set to FALSE in the server-side form definition.

References

nvd.nist.gov/vuln/detail/CVE-2016-3165
www.drupal.org/SA-CORE-2016-001

Code Behaviors & Features

Detect and mitigate CVE-2016-3165 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →