CVE-2016-3170
Drupal sensitive information disclosure
5.3
MEDIUM
CVSS 3.1
EPSS 0.50%
Description
The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.
How to fix CVE-2016-3170
To remediate CVE-2016-3170, upgrade the affected package to a fixed version below.
- —upgrade to 7.43 or later
- —upgrade to 8.0.4 or later
Is CVE-2016-3170 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 7.0, < 7.43
- >= 8.0, < 8.0.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |