Description
The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.
References (4)
Core 4
Core References
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/02/24/19
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/03/15/10
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3498
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2016-001
Scores
CVSS v3
5.3
EPSS
0.0050
EPSS Percentile
66.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (35)
debian/debian_linux
7.0
debian/debian_linux
8.0
drupal/core
7.0 - 7.43Packagist
drupal/drupal
7.0 (16 CPE variants)
drupal/drupal
7.1
drupal/drupal
7.2
drupal/drupal
7.3
drupal/drupal
7.4
drupal/drupal
7.5
drupal/drupal
7.6
... and 25 more
Published
Apr 12, 2016
Tracked Since
Feb 18, 2026