-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from missing cache context specification in the password reset form. In Drupal, cache contexts define content variations. The UserPasswordForm's cache context method lacked variation by password reset token (via URL parameter), causing cached versions to be reused across users. The fix in 8.2.3 added 'url.query_args:pass_reset_token' to ensure cache entries vary per token. This matches the CWE-345 pattern where insufficient validation (of token-bound cache context) enables unauthorized actions.
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/core | composer | >= 8.0, < 8.2.3 | 8.2.3 |
| drupal/drupal | composer | >= 8.0, < 8.2.3 | 8.2.3 |
Ongoing coverage of React2Shell