-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/core | composer | >= 7.0, < 7.43 | 7.43 |
| drupal/core | composer | >= 8.0, < 8.0.4 | 8.0.4 |
| drupal/drupal | composer | >= 8.0, < 8.0.4 | 8.0.4 |
| drupal/drupal | composer | >= 7.0, < 7.43 | 7.43 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability involves the 'forgot password' functionality in Drupal's User module, which is handled by the user_pass function in user.pages.inc. This function processes password reset requests. When the site allows email-based logins (via configuration/modules), submitting an email address to this function would reveal whether the email is associated with a valid account (via the password reset email being sent). The patched versions likely modified this function to avoid confirming the existence of the email-username pair explicitly. The high confidence stems from the direct link between the vulnerability's description (password reset link leakage) and the core User module's password reset handling logic.
Ongoing coverage of React2Shell