CVE-2016-3170

CWE-200Information Exposure6 documents5 sources
Severity
5.3MEDIUM
EPSS
0.5%
top 34.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Drupal CoreDrupal DrupalDebian Debian Linux
Timeline
PublishedApr 12
Latest updateMay 17

Description

The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

Packagistdrupal/core7.07.43+1
Packagistdrupal/drupal8.08.0.4+1
NVDdrupal/drupal46 versions+45

Also affects: Debian Linux 7.0, 8.0

Patches

Patch: www.drupal.orgPatch: www.drupal.org

🔴Vulnerability Details

4
OSV
Drupal sensitive information disclosure2022-05-17
GHSA
Drupal sensitive information disclosure2022-05-17
OSV
CVE-2016-3170: The "have you forgotten your password" links in the User module in Drupal 72016-04-12
CVEList
CVE-2016-3170: The "have you forgotten your password" links in the User module in Drupal 72016-04-12

💬Community

1
Bugzilla
CVE-2016-3162 CVE-2016-3163 CVE-2016-3164 CVE-2016-3165 CVE-2016-3166 CVE-2016-3167 CVE-2016-3168 CVE-2016-3169 CVE-2016-3170 CVE-2016-3171 drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-2016-02-26
CVE-2016-3170 (MEDIUM CVSS 5.3) | The "have you forgotten your passwo | cvebase.io