CVE-2015-2559

Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.debian.org/security/2015/dsa-3200	Third Party Advisory
http://www.securityfocus.com/bid/73219	Third Party Advisory VDB Entry
https://www.drupal.org/SA-CORE-2015-001	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::

History

No history.

Information

Published : 2015-03-25 14:59

Updated : 2023-12-10 11:31

NVD link : CVE-2015-2559

Mitre link : CVE-2015-2559

CVE.ORG link : CVE-2015-2559

JSON object : View

Products Affected

debian

debian_linux

drupal

drupal

CWE

CWE-284

Improper Access Control

{"id": "CVE-2015-2559", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-03-25T14:59:05.453", "references": [{"url": "http://www.debian.org/security/2015/dsa-3200", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/73219", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://www.drupal.org/SA-CORE-2015-001", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL."}, {"lang": "es", "value": "Drupal 6.x anterior a 6.35 y 7.x anterior a 7.35 permite a usuarios remotos autenticados reconfigurar la contrase\u00f1a de otras cuentas mediante el aprovechamiento del mismo hash de contrase\u00f1a que otra cuenta y una URL de reconfiguraci\u00f3n de contrase\u00f1as manipulada."}], "lastModified": "2019-02-05T18:52:06.460", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "517C13CD-B60E-483E-84DA-F2000BB1BC9F", "versionEndExcluding": "6.35", "versionStartIncluding": "6.0"}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "567F3B0A-CEB7-4E9D-B642-299B02912424", "versionEndExcluding": "7.35", "versionStartIncluding": "7.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}