CVE-2015-2559
Published: 25 March 2015
Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.
From the Ubuntu Security Team
It was discovered that password reset URLs in Drupal could be forged. An attacker could use this vulnerability to gain access to another user's account.
Priority
Status
Package | Release | Status |
---|---|---|
drupal6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
lucid |
Ignored
(end of life)
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(6.35)
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
Patches: upstream: http://cgit.drupalcode.org/drupal/commit/?h=6.x&id=8ffc5db3c0ab926f3d4b2cf8bc51714c8c0f3c93 |
||
drupal7 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(7.32-1+deb8u3)
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
lucid |
Does not exist
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Released
(7.26-1ubuntu0.1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(7.32-1+deb8u2)
|
|
utopic |
Released
(7.32-1+deb8u4build0.14.10.1)
|
|
wily |
Not vulnerable
(7.32-1+deb8u3)
|
|
xenial |
Not vulnerable
(7.32-1+deb8u3)
|
|
yakkety |
Not vulnerable
(7.32-1+deb8u3)
|
|
zesty |
Not vulnerable
(7.32-1+deb8u3)
|
|
vivid |
Not vulnerable
(7.32-1+deb8u3)
|
|
Patches: upstream: http://cgit.drupalcode.org/drupal/commit/?h=7.x&id=b44056d2f8e8c71d35c85ec5c2fb8f7c8a02d8a8 |