Description

The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.

Remediation

References

CVE-2016-3170

Related Vulnerabilities

Nginx Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Vulnerability (CVE-2012-2089)

WordPress Plugin AnyFont Cross-Site Scripting (2.2.3)

WordPress Plugin WP-SpamFree Anti-Spam 'id' Parameter SQL Injection (3.2.1)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-3543)

WordPress Plugin Advanced Ads-Ad Manager & AdSense Unspecified Vulnerability (1.7.1.1)

Severity

Medium

Classification

CVE-2016-3170 CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities