Description
The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.
Remediation
References
Related Vulnerabilities
WordPress Plugin Tiny URL Cross-Site Scripting (1.3.2)
WordPress Plugin Dynamic Widgets 'id' Parameter Cross-Site Scripting (1.5.1)
Oracle Database Server CVE-2009-3411 Vulnerability (CVE-2009-3411)
WordPress Plugin Tutor LMS-eLearning and online course solution Local File Inclusion (1.8.7)
Internet Information Services Other Vulnerability (CVE-1999-0738)