Main Vulnerability Database SB2016091904

SB2016091904 - Password leaked in URL in Drupal Drupal

Published: September 19, 2016

Security Bulletin ID SB2016091904

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Password leaked in URL (CVE-ID: N/A)

The vulnerability allows a remote user to steal user's credentials.
The weakness exists due to access control error. If the anonymous user enters incorrect username and password and they are contained in the sortable table of the page, his credentials can easily leak to external sites via the HTTP referer or via specially crafted URL on the Drupal page.
Successful exploitation of the vulnerability allows a malicious user to obtain valid user's data.

Remediation

Install update from vendor's website.

References

https://www.drupal.org/node/507572