Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.
References
Link | Resource |
---|---|
http://www.debian.org/security/2015/dsa-3200 | Third Party Advisory |
http://www.securityfocus.com/bid/73219 | Third Party Advisory VDB Entry |
https://www.drupal.org/SA-CORE-2015-001 | Vendor Advisory |
Configurations
History
No history.
Information
Published : 2015-03-25 14:59
Updated : 2024-02-04 18:35
NVD link : CVE-2015-2559
Mitre link : CVE-2015-2559
CVE.ORG link : CVE-2015-2559
JSON object : View
Products Affected
debian
- debian_linux
drupal
- drupal
CWE
CWE-284
Improper Access Control