Description
The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.
Remediation
References
Related Vulnerabilities
Apache HTTP Server Improper Input Validation Vulnerability (CVE-2015-0228)
Apache Traffic Server Improper Access Control Vulnerability (CVE-2014-3624)
Oracle JRE CVE-2014-0463 Vulnerability (CVE-2014-0463)
Joomla Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-35614)