CVE-2015-2559

NameCVE-2015-2559
DescriptionDrupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3200-1
NVD severitylow (attack range: remote)
Debian Bugs780772

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
drupal7 (PTS)jessie (security), jessie7.32-1+deb8u12fixed
stretch7.52-2+deb9u2fixed
stretch (security)7.52-2+deb9u4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
drupal6source(unstable)(unfixed)low
drupal6sourcesqueeze(unfixed)end-of-life
drupal7source(unstable)7.32-1+deb8u2low780772
drupal7sourcewheezy7.14-2+deb7u9lowDSA-3200-1

Notes

https://www.drupal.org/SA-CORE-2015-001
http://cgit.drupalcode.org/drupal/commit/?id=8e54eca05a65c6231b02510e1917af0c9191e549

Search for package or bug name: Reporting problems