Description
The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.
Remediation
References
Related Vulnerabilities
WordPress Plugin Easy Accordion-Best Accordion FAQ Cross-Site Scripting (2.0.21)
OpenSSL Other Vulnerability (CVE-2004-0081)
WordPress Plugin WC Duplicate Order Security Bypass (1.5)
Nginx Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2019-9511)
Drupal Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2008-3743)