CVE-2015-2559

NameCVE-2015-2559
DescriptionDrupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3200-1
NVD severitylow (attack range: remote)
Debian Bugs780772

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
drupal7 (PTS)wheezy7.14-2+deb7u12fixed
wheezy (security)7.14-2+deb7u16fixed
jessie (security), jessie7.32-1+deb8u9fixed
stretch (security), stretch7.52-2+deb9u1fixed
buster, sid7.56-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
drupal6source(unstable)(unfixed)low
drupal6sourcesqueeze(unfixed)end-of-life
drupal7source(unstable)7.32-1+deb8u2low780772
drupal7sourcewheezy7.14-2+deb7u9lowDSA-3200-1

Notes

https://www.drupal.org/SA-CORE-2015-001
http://cgit.drupalcode.org/drupal/commit/?id=8e54eca05a65c6231b02510e1917af0c9191e549

Search for package or bug name: Reporting problems