CVE-2016-3162 : The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote aut

The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.

Published 2016-04-12 15:59:00

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2016-3162

Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.10
cpe:2.3:a:drupal:drupal:7.10:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.3
cpe:2.3:a:drupal:drupal:7.3:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.1
cpe:2.3:a:drupal:drupal:7.1:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Beta2
cpe:2.3:a:drupal:drupal:7.0:beta2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Alpha7
cpe:2.3:a:drupal:drupal:7.0:alpha7:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Alpha2
cpe:2.3:a:drupal:drupal:7.0:alpha2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0
cpe:2.3:a:drupal:drupal:7.0:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.8
cpe:2.3:a:drupal:drupal:7.8:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.7
cpe:2.3:a:drupal:drupal:7.7:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.6
cpe:2.3:a:drupal:drupal:7.6:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.5
cpe:2.3:a:drupal:drupal:7.5:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.4
cpe:2.3:a:drupal:drupal:7.4:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Alpha6
cpe:2.3:a:drupal:drupal:7.0:alpha6:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Alpha5
cpe:2.3:a:drupal:drupal:7.0:alpha5:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Alpha4
cpe:2.3:a:drupal:drupal:7.0:alpha4:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Alpha3
cpe:2.3:a:drupal:drupal:7.0:alpha3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update RC3
cpe:2.3:a:drupal:drupal:7.0:rc3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update RC2
cpe:2.3:a:drupal:drupal:7.0:rc2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update RC1
cpe:2.3:a:drupal:drupal:7.0:rc1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update DEV
cpe:2.3:a:drupal:drupal:7.0:dev:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.11
cpe:2.3:a:drupal:drupal:7.11:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.9
cpe:2.3:a:drupal:drupal:7.9:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.2
cpe:2.3:a:drupal:drupal:7.2:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update RC4
cpe:2.3:a:drupal:drupal:7.0:rc4:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Beta3
cpe:2.3:a:drupal:drupal:7.0:beta3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Beta1
cpe:2.3:a:drupal:drupal:7.0:beta1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Alpha1
cpe:2.3:a:drupal:drupal:7.0:alpha1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.x-dev
cpe:2.3:a:drupal:drupal:7.x-dev:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.12
cpe:2.3:a:drupal:drupal:7.12:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.13
cpe:2.3:a:drupal:drupal:7.13:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.14
cpe:2.3:a:drupal:drupal:7.14:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.15
cpe:2.3:a:drupal:drupal:7.15:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.17
cpe:2.3:a:drupal:drupal:7.17:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.16
cpe:2.3:a:drupal:drupal:7.16:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.18
cpe:2.3:a:drupal:drupal:7.18:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.19
cpe:2.3:a:drupal:drupal:7.19:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.23
cpe:2.3:a:drupal:drupal:7.23:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.22
cpe:2.3:a:drupal:drupal:7.22:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.21
cpe:2.3:a:drupal:drupal:7.21:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.20
cpe:2.3:a:drupal:drupal:7.20:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.24
cpe:2.3:a:drupal:drupal:7.24:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.26
cpe:2.3:a:drupal:drupal:7.26:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.28
cpe:2.3:a:drupal:drupal:7.28:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.25
cpe:2.3:a:drupal:drupal:7.25:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.27
cpe:2.3:a:drupal:drupal:7.27:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.30
cpe:2.3:a:drupal:drupal:7.30:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.29
cpe:2.3:a:drupal:drupal:7.29:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.31
cpe:2.3:a:drupal:drupal:7.31:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.33
cpe:2.3:a:drupal:drupal:7.33:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.34
cpe:2.3:a:drupal:drupal:7.34:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.32
cpe:2.3:a:drupal:drupal:7.32:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.37
cpe:2.3:a:drupal:drupal:7.37:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.35
cpe:2.3:a:drupal:drupal:7.35:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.36
cpe:2.3:a:drupal:drupal:7.36:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.38
cpe:2.3:a:drupal:drupal:7.38:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.40
cpe:2.3:a:drupal:drupal:7.40:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.3
cpe:2.3:a:drupal:drupal:8.0.3:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.2
cpe:2.3:a:drupal:drupal:8.0.2:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.41
cpe:2.3:a:drupal:drupal:7.41:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.1
cpe:2.3:a:drupal:drupal:8.0.1:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0
cpe:2.3:a:drupal:drupal:8.0.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-3162

EPSS FAQ

0.16%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 34 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-3162

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.1	HIGH	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	2.8	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2016-3162

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-3162

http://www.openwall.com/lists/oss-security/2016/02/24/19

oss-security - CVE requests for Drupal core (SA-CORE-2016-001)

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2016/03/15/10

oss-security - Re: CVE requests for Drupal core (SA-CORE-2016-001)

CVEs referencing this url
http://www.debian.org/security/2016/dsa-3498

Debian -- Security Information -- DSA-3498-1 drupal7

CVEs referencing this url
https://www.drupal.org/SA-CORE-2016-001

Access to this page has been denied.
Patch;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-3162

Products affected by CVE-2016-3162

Exploit prediction scoring system (EPSS) score for CVE-2016-3162

CVSS scores for CVE-2016-3162

CWE ids for CVE-2016-3162

References for CVE-2016-3162