CVE-2015-2559

Published: Mar 25, 2015Modified: May 6, 2026

3.5

Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability: 6.8 / Impact: 2.9

Source: NVD

Description

Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.

Affected (3)

Products: Debian: Debian Linux · Drupal: Drupal

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 7.0

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Drupal Drupal	From 6.0 to 6.35
Drupal Drupal	From 7.0 to 7.35

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (6)

http://www.debian.org/security/2015/dsa-3200

Source: cve@mitre.org

Third Party Advisory

http://www.securityfocus.com/bid/73219

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://www.drupal.org/SA-CORE-2015-001

Source: cve@mitre.org

Vendor Advisory

http://www.debian.org/security/2015/dsa-3200

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

http://www.securityfocus.com/bid/73219

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://www.drupal.org/SA-CORE-2015-001

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.