CVE-2016-3165
The issue CVE-2016-3165 affects Drupal 6.x before 6.38 where the Form API fails to enforce access restrictions on submit buttons. The server-side form definition may mark a button as #access = FALSE, yet a form submission can still be accepted if the attacker has permission to submit the form, ef...