| Vulnerability Name: | CVE-2015-2559 (CCN-101689) | ||||||||||||||||||||||||||||
| Assigned: | 2015-03-18 | ||||||||||||||||||||||||||||
| Published: | 2015-03-18 | ||||||||||||||||||||||||||||
| Updated: | 2019-02-05 | ||||||||||||||||||||||||||||
| Summary: | Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL. | ||||||||||||||||||||||||||||
| CVSS v3 Severity: | 6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
| ||||||||||||||||||||||||||||
| CVSS v2 Severity: | 3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N) 2.6 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C)
4.7 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P/E:U/RL:OF/RC:C)
| ||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-284 | ||||||||||||||||||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2015-2559 Source: DEBIAN Type: Third Party Advisory DSA-3200 Source: BID Type: Third Party Advisory, VDB Entry 73219 Source: CCN Type: BID-73219 Drupal Core Access Bypass and Open Redirection Vulnerabilities Source: XF Type: UNKNOWN drupal-core-pwdreseturl-sec-bypass(101689) Source: CCN Type: DRUPAL-SA-CORE-2015-001 Drupal Core - Moderately Critical - Multiple Vulnerabilities Source: CONFIRM Type: Vendor Advisory https://www.drupal.org/SA-CORE-2015-001 | ||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||