5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.005 Low
EPSS
Percentile
75.8%
This module provides a way to specify a certain level of password complexity (aka. “password hardening”) for user passwords on a system by defining a password policy.
The Password policy module allows administrators to request users to enter a new password that does not match any of the previous X passwords they have used (X is determined by the site configuration). If this feature is enabled, a malicious user with the capability to view another user’s HTTP traffic can discover the hashed version of their password. This issue is more of a risk for Drupal 6 sites that use the default md5 password encryption.
This issue only affects sites that use the module’s “previous passwords” feature, and fail to encrypt their users’ HTTP transactions with SSL/TLS.
CVE: CVE-2012-5552
Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.
Install the latest version:
Also see the Password policy project page.