Description
The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.
Remediation
References
Related Vulnerabilities
PostgreSQL Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-1901)
WordPress Plugin FV Flowplayer Video Player Cross-Site Scripting (7.5.18.727)
Jenkins Deserialization of Untrusted Data Vulnerability (CVE-2018-1999042)
MySQL Other Vulnerability (CVE-2005-2573)
WordPress Plugin WordPress Landing Pages SQL Injection (1.2.1)