{"id":"CVE-2016-3168","details":"The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a \"reflected file download vulnerability.\"","aliases":["GHSA-qqxc-cppg-4xp8"],"modified":"2026-06-18T03:56:28.258599413Z","published":"2016-04-12T15:59:05.963Z","database_specific":{"unresolved_ranges":[{"vendor_product":"debian:debian_linux","source":"CPE_STRING","extracted_events":[{"last_affected":"7.0"},{"last_affected":"8.0"}],"cpes":["cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"]},{"vendor_product":"drupal:drupal","source":"CPE_STRING","extracted_events":[{"last_affected":"6.0-beta1"},{"last_affected":"6.0-beta2"},{"last_affected":"6.0-beta3"},{"last_affected":"6.0-beta4"},{"last_affected":"6.0-rc1"},{"last_affected":"6.0-rc2"},{"last_affected":"6.0-rc3"},{"last_affected":"6.0-rc4"},{"last_affected":"7.0-rc1"},{"last_affected":"7.0-rc2"},{"last_affected":"7.0-rc3"},{"last_affected":"7.0-rc4"}],"cpes":["cpe:2.3:a:drupal:drupal:6.0:beta1:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.0:beta2:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.0:beta3:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.0:beta4:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.0:rc1:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.0:rc2:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.0:rc3:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.0:rc4:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:rc1:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:rc2:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:rc3:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:rc4:*:*:*:*:*:*"]}]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2016/02/24/19"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2016/03/15/10"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3498"},{"type":"FIX","url":"https://www.drupal.org/SA-CORE-2016-001"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/drupal/drupal","events":[{"introduced":"0"},{"last_affected":"f8d6bbf44160e6d00e71f0172ecf80e78d0f0d3c"},{"last_affected":"d6c7b4cf627ab409c595e1c76bf0a8deadbc7feb"},{"last_affected":"fee422170acc602c2049af4dc2fd00f1da3c5713"},{"last_affected":"dff6422ef765e6a6b1ca03184e4ed334c895fd4c"},{"last_affected":"49f719f7c4f7c1b69dc35ff8fbdea123e7d88f92"},{"last_affected":"85c9ed0b6a001b4196b24826841e2cf2d18d2612"},{"last_affected":"87a469b868ad719c11fb59d932b8d4a5bcf02b08"},{"last_affected":"ead5598cdfaf1505b478aa03db4017f9c1f829f5"},{"last_affected":"80cff5cedfe9f8a23596c1a7e1ae456c894a79ae"},{"last_affected":"bdd3062d800919f27627b8fddc3887b2495074c2"},{"last_affected":"a7c068b9bc213c599872a0f729d736f5ff3d7866"},{"last_affected":"8135c33f6fd219124b085a2e50ea9bf1f6e87612"},{"last_affected":"84f629ace76044177ddd24ad03c2566b9af1688b"},{"last_affected":"7c757303a57f24770f2707529f8398d194a5efcd"},{"last_affected":"b62ba500242b711ce932ecfeb258c00e22c258ba"},{"last_affected":"23bda276dc19dd3b3d17174b808020ae820879c7"},{"last_affected":"77b6714fb3e0bcec9ef7df1a610eb6bdbf09636e"},{"last_affected":"a09fcca0294ef62ba7b1c7ec2af2980f0a39d3e1"},{"last_affected":"4e8e0454b3bfc3b846cf4b7bcaca0e8f42f0c17a"},{"last_affected":"88146f6da7b169a6504ecfdd39fe29913c977350"},{"last_affected":"8636b1234c84a07f0f087ca5d64483c4fc7b2256"},{"last_affected":"7c4e429b7fa771676a18321aac9896e86773891e"},{"last_affected":"39f366e0a91bb0f79cdf7aab8d50c92473e6bd4e"},{"last_affected":"10edcf72444e58b2032957edd3d478ac2d431b0c"},{"last_affected":"3595e528c35eeeef5cdcd11932ede5af0b21447c"},{"last_affected":"7e8649f761e0279e07b2050a7ec61097636f269b"},{"last_affected":"9260bc47d39971738f6d489554a4eb22c8c8e85e"},{"last_affected":"da8023a98808d243a03d494750a30d06dd1827cc"},{"last_affected":"6f2fd0451a5cae837870da665f35514d8730fcf3"},{"last_affected":"9ce67f2e403f7238a581fc78ca51a7f5ba32fb52"},{"last_affected":"203f323c8813f60c634ca23e025934d1527b0418"},{"last_affected":"66e94d74994fced9fafbb2583f1c9e1bc636c04f"},{"last_affected":"92eedf2c17bcea6db47c6b317c6ebf6078bfffae"},{"last_affected":"c71b15f68010db028f07839c226d31563f220890"},{"last_affected":"01c9f6164e9b48a7d715e07fb0d98fbe71bae87b"},{"last_affected":"8ffc5db3c0ab926f3d4b2cf8bc51714c8c0f3c93"},{"last_affected":"a362d912056d6e385a6c458cddf776ec746c68ae"},{"last_affected":"e9d0768c1326332a3f1bbac761e7d9d7156d4ae6"},{"last_affected":"497914920385b7016ac9c9367e0198530787adf2"},{"last_affected":"c511a4abe771499fe4ff682decad59a3cd1e61d0"},{"last_affected":"154ffa85f8bf5033c958ba8face74797463a6bde"},{"last_affected":"d516f6778e57da524e3491710c6e5a5382dc647e"},{"last_affected":"a4fabec730e7377f6dfe656599145b40f778a77d"},{"last_affected":"9b9d9296c85e88d6ecb875d7e350e0083a105108"},{"last_affected":"9bf09eea76bbf071db4016252faca2d20bf1a6c2"},{"last_affected":"0c6f9b0074a227fe1b2fef3621925ef900039486"},{"last_affected":"d0b330ef316d761fc02eadeb659f9ff1ab106c3e"},{"last_affected":"237c0642a799ed3a1895f3144d8017422e2a8f72"},{"last_affected":"d08387cf6316da3b5158ccc1063acc5399ef3ee2"},{"last_affected":"316bd96ebff36284f5f3e33268760ff9c672b6f8"},{"last_affected":"49e2d2ca6f6c6489b07b9e863150d20a38148a57"},{"last_affected":"ebf9026bb8411de4866824f45ab825ecb41a5f47"},{"last_affected":"d8cfe088697631a9789895b4128b12ab79c07207"},{"last_affected":"eabb023933ac83947e5d238c4a83b1f5bdbcc738"},{"last_affected":"1f124bf1accbad60b31a463ff59232d2f5626100"},{"last_affected":"ca9434462a4af269f24b0b616939938a3a4c112f"},{"last_affected":"6b54665a5921d26d00559644754047420776da4a"},{"last_affected":"09bfa80c0c6ffabf7e02e706dbfd2f514619bbc4"},{"last_affected":"a07564a2968a464d3f800da0c2e75045caa367ea"},{"last_affected":"40093b2fa7dde4a5f3c6806aad91b9302c232903"},{"last_affected":"4d4080b17681ae674e10c077b72d00f0b1544e0c"},{"last_affected":"9879d29f731570a34b24c4eae4cc8cb30c7a5082"},{"last_affected":"30d1e719aa5e9a9ad66514078ca3b0975ddadc9c"},{"last_affected":"a584af62514ba7ec37b82b0c7b17081fcca4c5e0"},{"last_affected":"b9127101ffeca819e74a03fa9f5a48d026c562e5"},{"last_affected":"c5d6e6334fb7a71ecf1dbc7e06a7de8ad9547b27"},{"last_affected":"b47f95d3013619e33cafdf8b769b2b6179a07956"},{"last_affected":"1d4604da252f0e6e19339957ec214388f61b908d"},{"last_affected":"3a24da1b40f5e05876ad7775044500b61eb2ed94"},{"last_affected":"ec59e1197a2aa37557f9a87f13ba4d90e6aabf4c"},{"last_affected":"dce3c77a61d9510dbac6927b60a03bc8da19e947"},{"last_affected":"bf704d6ffe55d66a440a55a9d43e8846d46d2440"},{"last_affected":"782d1155c62c0a879bf587c7e40c3a13bcf6879c"},{"last_affected":"effed1c831c997be26e12f18be0d8eb683f21a75"},{"last_affected":"dc791ec5839b52c7616bf66993122aa9a1336384"},{"last_affected":"6642fbc7001c728e218170fd286e6b8a24eef24f"},{"last_affected":"1769d1cca92e206510528c324552797e83a1fc7c"},{"last_affected":"83b80acad8431fcd56e9a331ba06c41edee48c91"},{"last_affected":"f9784cf829fe2d6aad57b6de1f2e3a167e95cea6"},{"last_affected":"90e884ad0f7f2cf269d953f7d70966de9fd821ff"},{"last_affected":"131a6f5129b18f3913ba5882111797f8588c5aaf"},{"last_affected":"4ba5f184c69306da0e30260890f01ea0694af274"},{"last_affected":"81586d9e9d04dcee487c50de426c04221899b6d0"},{"last_affected":"b44056d2f8e8c71d35c85ec5c2fb8f7c8a02d8a8"},{"last_affected":"b42286571f4a22324f321af025768107caa99c30"},{"last_affected":"18c5da5028b7c3ba985e598bb8df45613285d437"},{"last_affected":"5cb79b4b217e9aa315d61284398cce132c28bea4"},{"last_affected":"9d16792580c241b42e6192b480f65cf0bdd07bc9"},{"last_affected":"9f72251c9291b5613acb9ca4ea7a51b4739e3f93"},{"last_affected":"9ee4a1a2fa3bedb3852d21f2198509c107c48890"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"6.0"},{"last_affected":"6.0-dev"},{"last_affected":"6.1"},{"last_affected":"6.2"},{"last_affected":"6.3"},{"last_affected":"6.4"},{"last_affected":"6.5"},{"last_affected":"6.6"},{"last_affected":"6.7"},{"last_affected":"6.8"},{"last_affected":"6.9"},{"last_affected":"6.10"},{"last_affected":"6.11"},{"last_affected":"6.12"},{"last_affected":"6.13"},{"last_affected":"6.14"},{"last_affected":"6.15"},{"last_affected":"6.16"},{"last_affected":"6.17"},{"last_affected":"6.18"},{"last_affected":"6.19"},{"last_affected":"6.20"},{"last_affected":"6.21"},{"last_affected":"6.22"},{"last_affected":"6.23"},{"last_affected":"6.24"},{"last_affected":"6.25"},{"last_affected":"6.26"},{"last_affected":"6.27"},{"last_affected":"6.28"},{"last_affected":"6.29"},{"last_affected":"6.30"},{"last_affected":"6.31"},{"last_affected":"6.32"},{"last_affected":"6.33"},{"last_affected":"6.34"},{"last_affected":"6.35"},{"last_affected":"6.36"},{"last_affected":"6.37"},{"last_affected":"7.0"},{"last_affected":"7.0-alpha1"},{"last_affected":"7.0-alpha2"},{"last_affected":"7.0-alpha3"},{"last_affected":"7.0-alpha4"},{"last_affected":"7.0-alpha5"},{"last_affected":"7.0-alpha6"},{"last_affected":"7.0-alpha7"},{"last_affected":"7.0-beta1"},{"last_affected":"7.0-beta2"},{"last_affected":"7.0-beta3"},{"last_affected":"7.0-dev"},{"last_affected":"7.1"},{"last_affected":"7.2"},{"last_affected":"7.3"},{"last_affected":"7.4"},{"last_affected":"7.5"},{"last_affected":"7.6"},{"last_affected":"7.7"},{"last_affected":"7.8"},{"last_affected":"7.9"},{"last_affected":"7.10"},{"last_affected":"7.11"},{"last_affected":"7.12"},{"last_affected":"7.13"},{"last_affected":"7.14"},{"last_affected":"7.15"},{"last_affected":"7.16"},{"last_affected":"7.17"},{"last_affected":"7.18"},{"last_affected":"7.19"},{"last_affected":"7.20"},{"last_affected":"7.21"},{"last_affected":"7.22"},{"last_affected":"7.23"},{"last_affected":"7.24"},{"last_affected":"7.25"},{"last_affected":"7.26"},{"last_affected":"7.27"},{"last_affected":"7.28"},{"last_affected":"7.29"},{"last_affected":"7.30"},{"last_affected":"7.31"},{"last_affected":"7.32"},{"last_affected":"7.33"},{"last_affected":"7.34"},{"last_affected":"7.35"},{"last_affected":"7.36"},{"last_affected":"7.37"},{"last_affected":"7.38"},{"last_affected":"7.40"},{"last_affected":"7.41"},{"last_affected":"7.42"},{"last_affected":"7.x-dev"}],"source":"CPE_STRING","cpe":["cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.0:dev:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.1:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.2:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.3:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.4:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.5:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.6:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.7:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.8:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.9:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.10:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.11:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.12:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.13:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.14:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.15:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.16:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.17:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.18:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.19:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.20:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.21:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.22:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.23:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.24:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.25:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.26:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.27:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.28:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.29:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.30:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.31:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.32:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.33:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.34:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.35:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.36:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:6.37:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:alpha1:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:alpha2:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:alpha3:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:alpha4:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:alpha5:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:alpha6:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:alpha7:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:beta1:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:beta2:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:beta3:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.0:dev:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.1:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.2:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.3:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.4:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.5:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.6:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.7:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.8:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.9:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.10:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.11:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.12:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.13:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.14:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.15:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.16:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.17:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.18:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.19:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.20:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.21:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.22:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.23:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.24:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.25:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.26:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.27:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.28:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.29:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.30:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.31:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.32:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.33:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.34:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.35:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.36:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.37:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.38:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.40:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.41:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.42:*:*:*:*:*:*:*","cpe:2.3:a:drupal:drupal:7.x-dev:*:*:*:*:*:*:*"]}}],"versions":["7.42","7.41","7.40","7.38","6.37","6.36","7.37","6.35","7.36","7.35","7.34","6.34","7.33","6.33","7.32","7.31","7.30","6.32","6.31","7.29","7.28","6.30","7.27","7.26","7.25","7.24","7.23","6.29","6.28","7.22","7.21","7.20","7.19","7.18","6.27","7.17","7.16","7.15","7.14","7.13","6.26","6.25","7.12","6.24","7.11","6.23","7.10","7.9","7.8","7.7","7.6","7.5","7.4","7.3","6.22","7.2","6.21","7.1","7.0","6.20","7.0-rc-4","7.0-rc-3","7.0-rc-2","7.0-rc-1","7.0-beta3","7.0-beta2","7.0-beta1","7.0-alpha7","6.19","6.18","6.17","7.0-alpha6","7.0-alpha5","7.0-alpha4","7.0-alpha3","6.16","7.0-alpha2","7.0-alpha1","6.15","7.0-unstable-10","6.14","6.13","7.0-unstable-7","6.12","6.11","7.0-unstable-6","6.10","7.0-unstable-5","7.0-unstable-4","6.9","6.8","6.7","7.0-unstable-3","6.6","7.0-unstable-2","6.5","7.0-unstable-1","6.4","6.3","6.2","6.1","6.0","6.0-rc-4","6.0-rc-3","6.0-rc-2","6.0-rc-1","6.0-beta-4","6.0-beta-3","6.0-beta-2","6.0-beta-1","5.0-rc-2","5.0-rc-1","5.0-beta-2","5.0-beta-1","3.0.1","2.0","1.0","start"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-3168.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"}]}