Description

The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.

Remediation

References

CVE-2016-3170

Related Vulnerabilities

Python Incorrect Authorization Vulnerability (CVE-2020-15801)

WordPress 3.7.x Possible SQL Injection Vulnerability (3.7 - 3.7.22)

Grafana CVE-2022-39201 Vulnerability (CVE-2022-39201)

WordPress Plugin Official MailerLite Sign Up Forms SQL Injection (1.4.3)

WordPress Plugin furikake Open Redirect (0.1.0)

Severity

Medium

Classification

CVE-2016-3170 CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities