CVE-2016-3170

MEDIUM

Debian Linux < 7.43 - Information Disclosure

Title source: rule

Description

The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.

References (4)

[Patch, Vendor Advisory] https://www.drupal.org/SA-CORE-2016-001

[Third Party Advisory] http://www.debian.org/security/2016/dsa-3498

[Mailing List] http://www.openwall.com/lists/oss-security/2016/02/24/19

[Mailing List] http://www.openwall.com/lists/oss-security/2016/03/15/10

Scores

CVSS v3 5.3

EPSS 0.0050

EPSS Percentile 65.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status draft

Affected Products (50)

debian/debian_linux

debian/debian_linux

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

drupal/drupal

... and 35 more

Timeline

Published Apr 12, 2016

Tracked Since Feb 18, 2026