Main Vulnerability Database Vulnerabilities #VU402

Information disclosure - CVE-2016-3170

Published: September 9, 2016

Vulnerability identifier: #VU402

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-3170

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor:

Affected software:

Detailed vulnerability description

The vulnerability allows attackers to obtain potentially sensitive information.

The vulnerability exists due to using of e-mail adresses instead of logins. By function "have you forgotten your password" attackers can easily disclose user's data.

Successful exploitation of this vulnerability will result in valid user's sensitive information disclosure.

How to mitigate CVE-2016-3170

Upgrade Drupal 6.x to Drupal core 6.38.

Upgrade Drupal 7.x to Drupal core 7.43.

Upgrade Drupal 8.0.x to Drupal core 8.0.4.

Sources

https://www.drupal.org/project/drupal

Information disclosure - CVE-2016-3170

Detailed vulnerability description

How to mitigate CVE-2016-3170

Sources

Please verify you're human