CVE-2016-9450 – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=8.0 <8.2.3

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00228 pctl0.45446

Details

Drupal Incorrect cache context on password reset page The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.

Metadata

Created: 2022-05-17T03:38:33Z
Modified: 2024-04-23T17:21:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-98w5-wqp9-w466/GHSA-98w5-wqp9-w466.json
CWE IDs: ["CWE-345"]
Alternative ID: GHSA-98w5-wqp9-w466
Finding: F204
Auto approve: 1