Drupal » Drupal : Security Vulnerabilities, CVEs, Published In 2016 (Gain Privilege) CVSS score >= 1
The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.
Max CVSS
7.5
EPSS Score
0.46%
Published
2016-04-12
Updated
2016-04-13
The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.
Max CVSS
8.1
EPSS Score
0.18%
Published
2016-04-12
Updated
2016-04-22
2 vulnerabilities found