CVE-2015-2559

high

Description

Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.

References

https://www.drupal.org/SA-CORE-2015-001

http://www.securityfocus.com/bid/73219

http://www.debian.org/security/2015/dsa-3200

Details

Source: Mitre, NVD

Published: 2015-03-25

Updated: 2019-02-05

Risk Information

CVSS v2

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High