{"id":"GHSA-qqxc-cppg-4xp8","summary":"Drupal Reflected file download vulnerability","details":"The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a \"reflected file download vulnerability.\"","aliases":["CVE-2016-3168"],"modified":"2024-04-23T18:12:16.375007Z","published":"2022-05-17T03:57:06Z","database_specific":{"severity":"MODERATE","cwe_ids":[],"github_reviewed_at":"2024-04-23T17:19:29Z","nvd_published_at":"2016-04-12T15:59:00Z","github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-3168"},{"type":"WEB","url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-3168.yaml"},{"type":"WEB","url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-3168.yaml"},{"type":"PACKAGE","url":"https://github.com/drupal/core"},{"type":"WEB","url":"https://www.drupal.org/SA-CORE-2016-001"},{"type":"WEB","url":"http://www.debian.org/security/2016/dsa-3498"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2016/02/24/19"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2016/03/15/10"}],"affected":[{"package":{"name":"drupal/core","ecosystem":"Packagist","purl":"pkg:composer/drupal/core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.0"},{"fixed":"6.38"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qqxc-cppg-4xp8/GHSA-qqxc-cppg-4xp8.json"}},{"package":{"name":"drupal/core","ecosystem":"Packagist","purl":"pkg:composer/drupal/core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"7.0"},{"fixed":"7.43"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qqxc-cppg-4xp8/GHSA-qqxc-cppg-4xp8.json"}},{"package":{"name":"drupal/drupal","ecosystem":"Packagist","purl":"pkg:composer/drupal/drupal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"7.0"},{"fixed":"7.43"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qqxc-cppg-4xp8/GHSA-qqxc-cppg-4xp8.json"}},{"package":{"name":"drupal/drupal","ecosystem":"Packagist","purl":"pkg:composer/drupal/drupal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.0"},{"fixed":"6.38"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qqxc-cppg-4xp8/GHSA-qqxc-cppg-4xp8.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"}]}