CVE-2016-3170 : The "have you forgotten your password" links in the User module in Drupal 7.x be

The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.

Published 2016-04-12 15:59:08

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2016-3170

Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.10
cpe:2.3:a:drupal:drupal:7.10:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.3
cpe:2.3:a:drupal:drupal:7.3:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.1
cpe:2.3:a:drupal:drupal:7.1:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Beta2
cpe:2.3:a:drupal:drupal:7.0:beta2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Alpha7
cpe:2.3:a:drupal:drupal:7.0:alpha7:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Alpha2
cpe:2.3:a:drupal:drupal:7.0:alpha2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0
cpe:2.3:a:drupal:drupal:7.0:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.8
cpe:2.3:a:drupal:drupal:7.8:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.7
cpe:2.3:a:drupal:drupal:7.7:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.6
cpe:2.3:a:drupal:drupal:7.6:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.5
cpe:2.3:a:drupal:drupal:7.5:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.4
cpe:2.3:a:drupal:drupal:7.4:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Alpha6
cpe:2.3:a:drupal:drupal:7.0:alpha6:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Alpha5
cpe:2.3:a:drupal:drupal:7.0:alpha5:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Alpha4
cpe:2.3:a:drupal:drupal:7.0:alpha4:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Alpha3
cpe:2.3:a:drupal:drupal:7.0:alpha3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update RC3
cpe:2.3:a:drupal:drupal:7.0:rc3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update RC2
cpe:2.3:a:drupal:drupal:7.0:rc2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update RC1
cpe:2.3:a:drupal:drupal:7.0:rc1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update DEV
cpe:2.3:a:drupal:drupal:7.0:dev:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.11
cpe:2.3:a:drupal:drupal:7.11:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.9
cpe:2.3:a:drupal:drupal:7.9:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.2
cpe:2.3:a:drupal:drupal:7.2:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update RC4
cpe:2.3:a:drupal:drupal:7.0:rc4:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Beta3
cpe:2.3:a:drupal:drupal:7.0:beta3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Beta1
cpe:2.3:a:drupal:drupal:7.0:beta1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.0 Update Alpha1
cpe:2.3:a:drupal:drupal:7.0:alpha1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.x-dev
cpe:2.3:a:drupal:drupal:7.x-dev:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.12
cpe:2.3:a:drupal:drupal:7.12:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.13
cpe:2.3:a:drupal:drupal:7.13:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.14
cpe:2.3:a:drupal:drupal:7.14:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.15
cpe:2.3:a:drupal:drupal:7.15:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.17
cpe:2.3:a:drupal:drupal:7.17:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.16
cpe:2.3:a:drupal:drupal:7.16:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.18
cpe:2.3:a:drupal:drupal:7.18:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.19
cpe:2.3:a:drupal:drupal:7.19:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.23
cpe:2.3:a:drupal:drupal:7.23:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.22
cpe:2.3:a:drupal:drupal:7.22:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.21
cpe:2.3:a:drupal:drupal:7.21:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.20
cpe:2.3:a:drupal:drupal:7.20:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.24
cpe:2.3:a:drupal:drupal:7.24:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.26
cpe:2.3:a:drupal:drupal:7.26:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.28
cpe:2.3:a:drupal:drupal:7.28:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.25
cpe:2.3:a:drupal:drupal:7.25:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.27
cpe:2.3:a:drupal:drupal:7.27:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.30
cpe:2.3:a:drupal:drupal:7.30:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.29
cpe:2.3:a:drupal:drupal:7.29:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.33
cpe:2.3:a:drupal:drupal:7.33:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.34
cpe:2.3:a:drupal:drupal:7.34:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.37
cpe:2.3:a:drupal:drupal:7.37:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.35
cpe:2.3:a:drupal:drupal:7.35:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.36
cpe:2.3:a:drupal:drupal:7.36:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.38
cpe:2.3:a:drupal:drupal:7.38:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.40
cpe:2.3:a:drupal:drupal:7.40:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.39
cpe:2.3:a:drupal:drupal:7.39:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.3
cpe:2.3:a:drupal:drupal:8.0.3:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.2
cpe:2.3:a:drupal:drupal:8.0.2:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Beta7
cpe:2.3:a:drupal:drupal:8.0:beta7:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Beta6
cpe:2.3:a:drupal:drupal:8.0:beta6:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Beta4
cpe:2.3:a:drupal:drupal:8.0:beta4:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Beta3
cpe:2.3:a:drupal:drupal:8.0:beta3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Alpha4
cpe:2.3:a:drupal:drupal:8.0:alpha4:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Alpha3
cpe:2.3:a:drupal:drupal:8.0:alpha3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Alpha7
cpe:2.3:a:drupal:drupal:8.0:alpha7:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Alpha6
cpe:2.3:a:drupal:drupal:8.0:alpha6:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.42
cpe:2.3:a:drupal:drupal:7.42:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 7.41
cpe:2.3:a:drupal:drupal:7.41:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update RC1
cpe:2.3:a:drupal:drupal:8.0:rc1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Beta16
cpe:2.3:a:drupal:drupal:8.0:beta16:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Beta15
cpe:2.3:a:drupal:drupal:8.0:beta15:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Beta14
cpe:2.3:a:drupal:drupal:8.0:beta14:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Alpha13
cpe:2.3:a:drupal:drupal:8.0:alpha13:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Alpha12
cpe:2.3:a:drupal:drupal:8.0:alpha12:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Alpha11
cpe:2.3:a:drupal:drupal:8.0:alpha11:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Alpha10
cpe:2.3:a:drupal:drupal:8.0:alpha10:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.1
cpe:2.3:a:drupal:drupal:8.0.1:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update RC3
cpe:2.3:a:drupal:drupal:8.0:rc3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Beta12
cpe:2.3:a:drupal:drupal:8.0:beta12:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Beta10
cpe:2.3:a:drupal:drupal:8.0:beta10:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Beta1
cpe:2.3:a:drupal:drupal:8.0:beta1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Alpha14
cpe:2.3:a:drupal:drupal:8.0:alpha14:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Alpha9
cpe:2.3:a:drupal:drupal:8.0:alpha9:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Alpha2
cpe:2.3:a:drupal:drupal:8.0:alpha2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update RC4
cpe:2.3:a:drupal:drupal:8.0:rc4:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update RC2
cpe:2.3:a:drupal:drupal:8.0:rc2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Beta13
cpe:2.3:a:drupal:drupal:8.0:beta13:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Beta11
cpe:2.3:a:drupal:drupal:8.0:beta11:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Beta9
cpe:2.3:a:drupal:drupal:8.0:beta9:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Beta2
cpe:2.3:a:drupal:drupal:8.0:beta2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Alpha15
cpe:2.3:a:drupal:drupal:8.0:alpha15:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Alpha8
cpe:2.3:a:drupal:drupal:8.0:alpha8:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0 Update Alpha5
cpe:2.3:a:drupal:drupal:8.0:alpha5:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-3170

EPSS FAQ

0.59%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 67 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-3170

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2016-3170

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-3170

http://www.openwall.com/lists/oss-security/2016/02/24/19

oss-security - CVE requests for Drupal core (SA-CORE-2016-001)

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2016/03/15/10

oss-security - Re: CVE requests for Drupal core (SA-CORE-2016-001)

CVEs referencing this url
http://www.debian.org/security/2016/dsa-3498

Debian -- Security Information -- DSA-3498-1 drupal7

CVEs referencing this url
https://www.drupal.org/SA-CORE-2016-001

Access to this page has been denied.
Patch;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-3170

Products affected by CVE-2016-3170

Exploit prediction scoring system (EPSS) score for CVE-2016-3170

CVSS scores for CVE-2016-3170

CWE ids for CVE-2016-3170

References for CVE-2016-3170