CVE-2015-2559

high

Description

Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.

References

Advisories
More

http://www.securityfocus.com/bid/73219

http://www.debian.org/security/2015/dsa-3200

https://www.drupal.org/SA-CORE-2015-001

Details

Source: Mitre, NVD

Published: 2015-03-25

Updated: 2025-04-12

Risk Information

CVSS v2

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00596

Detections

Analytics