5.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-3170

GHSA ID

GHSA-pqv4-xgqh-j8vh

EPSS Score

0.68159%

CWE

CWE-200

Published

5/17/2022

Updated

5/3/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-3170

CVE-2016-3170: Drupal sensitive information disclosure

The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.

(GitHub Advisory)

5.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-3170

GHSA ID

GHSA-pqv4-xgqh-j8vh

EPSS Score

0.68159%

CWE

CWE-200

Published

5/17/2022

Updated

5/3/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
drupal/core	composer	>= 7.0, < 7.43	7.43
drupal/core	composer	>= 8.0, < 8.0.4	8.0.4
drupal/drupal	composer	>= 8.0, < 8.0.4	8.0.4
drupal/drupal	composer	>= 7.0, < 7.43	7.43

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability involves the 'forgot password' functionality in Drupal's User module, which is handled by the user_pass function in user.pages.inc. This function processes password reset requests. When the site allows email-based logins (via configuration/modules), submitting an email address to this function would reveal whether the email is associated with a valid account (via the password reset email being sent). The patched versions likely modified this function to avoid confirming the existence of the email-username pair explicitly. The high confidence stems from the direct link between the vulnerability's description (password reset link leakage) and the core User module's password reset handling logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** "**v* you *or*ott*n your p*sswor*" links in t** Us*r mo*ul* in *rup*l *.x ***or* *.** *n* *.x ***or* *.*.* *llow r*mot* *tt**k*rs to o*t*in s*nsitiv* us*rn*m* in*orm*tion *y l*v*r**in* * *on*i*ur*tion t**t p*rmits usin* *n *m*il ***r*ss to lo*in

Reasoning

T** vuln*r**ility involv*s t** '*or*ot p*sswor*' *un*tion*lity in *rup*l's Us*r mo*ul*, w*i** is **n*l** *y t** `us*r_p*ss` *un*tion in `us*r.p***s.in*`. T*is *un*tion pro**ss*s p*sswor* r*s*t r*qu*sts. W**n t** sit* *llows *m*il-**s** lo*ins (vi* `*

5.3

Basic Information

Concerned about an active attack path?

CVE-2016-3170: Drupal sensitive information disclosure

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI