Description

The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.

Remediation

References

CVE-2016-3170

Related Vulnerabilities

Ruby Other Vulnerability (CVE-2021-41817)

WordPress Plugin Tutor LMS-eLearning and online course solution SQL Injection (2.6.1)

OpenSSL Improper Certificate Validation Vulnerability (CVE-2025-4575)

WordPress Plugin WP Front-End Repository Manager Arbitrary File Upload (1.1)

Envoy Proxy Detection of Error Condition Without Action Vulnerability (CVE-2024-27919)

Severity

Medium

Classification

CVE-2016-3170 CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities