Description
Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.
References (3)
Core 3
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2015/dsa-3200
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/73219
Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2015-001
Scores
EPSS
0.0045
EPSS Percentile
63.8%
Details
CWE
CWE-284
Status
published
Products (2)
debian/debian_linux
7.0
drupal/drupal
6.0 - 6.35
Published
Mar 25, 2015
Tracked Since
Feb 18, 2026