Miggo Logo

CVE-2016-3170: Drupal sensitive information disclosure

5.3

CVSS Score
3.0

Basic Information

EPSS Score
0.68159%
Published
5/17/2022
Updated
5/3/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/corecomposer>= 7.0, < 7.437.43
drupal/corecomposer>= 8.0, < 8.0.48.0.4
drupal/drupalcomposer>= 8.0, < 8.0.48.0.4
drupal/drupalcomposer>= 7.0, < 7.437.43

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves the 'forgot password' functionality in Drupal's User module, which is handled by the user_pass function in user.pages.inc. This function processes password reset requests. When the site allows email-based logins (via configuration/modules), submitting an email address to this function would reveal whether the email is associated with a valid account (via the password reset email being sent). The patched versions likely modified this function to avoid confirming the existence of the email-username pair explicitly. The high confidence stems from the direct link between the vulnerability's description (password reset link leakage) and the core User module's password reset handling logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** "**v* you *or*ott*n your p*sswor*" links in t** Us*r mo*ul* in *rup*l *.x ***or* *.** *n* *.x ***or* *.*.* *llow r*mot* *tt**k*rs to o*t*in s*nsitiv* us*rn*m* in*orm*tion *y l*v*r**in* * *on*i*ur*tion t**t p*rmits usin* *n *m*il ***r*ss to lo*in

Reasoning

T** vuln*r**ility involv*s t** '*or*ot p*sswor*' *un*tion*lity in *rup*l's Us*r mo*ul*, w*i** is **n*l** *y t** `us*r_p*ss` *un*tion in `us*r.p***s.in*`. T*is *un*tion pro**ss*s p*sswor* r*s*t r*qu*sts. W**n t** sit* *llows *m*il-**s** lo*ins (vi* `*