Main Vulnerability Database SB2015032001

SB2015032001 - Arch Linux update for drupal

Published: March 20, 2015

Security Bulletin ID SB2015032001

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Access bypass (CVE-ID: CVE-2015-2559)

The vulnerability allows remote attackers access valid user's account.
The weakness exists due to forging of password reset URLs especially on sites with external authentication. A malicious user can obtain target user's account not knowing the password. The vulnerability is exploited for sites with empty password hash or identical password hash for different users.
Successful exploitation of this weakness will allow attacker to get access to the targeted user's account.

Remediation

Install update from vendor's website.

References

https://www.drupal.org/SA-CORE-2015-001