Drupal Improper Access Control Vulnerability - CVE-2016-3165

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has quotaccessquot set to FALSE in the server-side form definition.