The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| drupal/core(Packagist) | 6.0 | 6.38 | N/A |
| drupal/drupal(Packagist) | 6.0 | 6.38 | N/A |
CVSS Metrics
