The “have you forgotten your password” links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.
CPE | Name | Operator | Version |
---|---|---|---|
debian_linux | eq | 8.0 | |
debian_linux | eq | 7.0 | |
drupal | eq | 7.0 alpha5 | |
drupal | eq | 7.0 dev | |
drupal | eq | 8.0 beta3 | |
drupal | eq | 7.0 alpha7 | |
drupal | eq | 7.39 | |
drupal | eq | 7.40 | |
drupal | eq | 7.16 | |
drupal | eq | 7.21 |