2016-11-25 19:59:02 2016-11-29 19:37:08

The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE
Drupal Drupal 8.0.0 Beta6 (not an official CPE) Drupal Drupal 8.0.0 Beta4 (not an official CPE) Drupal Drupal 8.0.0 Beta7 (not an official CPE) Drupal Drupal 8.0.0 Beta2 (not an official CPE) Drupal Drupal 8.1.0 Rc1 (not an official CPE) Drupal Drupal 8.2.0 Beta2 (not an official CPE) Drupal Drupal 8.0.0 Beta3 (not an official CPE) Drupal Drupal 8.1.10 (not an official CPE) Drupal Drupal 8.1.1 (not an official CPE) Drupal Drupal 8.2.0 Beta3 (not an official CPE) Drupal Drupal 8.0.0 Beta1 (not an official CPE) Drupal Drupal 8.1.0 (not an official CPE) Drupal Drupal 8.2.0 Beta1 (not an official CPE) Drupal Drupal 8.1.2 (not an official CPE) Drupal Drupal 8.1.9 (not an official CPE) Drupal Drupal 8.1.8 (not an official CPE) Drupal Drupal 8.1.7 (not an official CPE) Drupal Drupal 8.1.5 (not an official CPE) Drupal Drupal 8.1.4 (not an official CPE) Drupal Drupal 8.1.3 (not an official CPE) Drupal Drupal 8.0.0 Alpha8 (not an official CPE) Drupal Drupal 8.0.0 Alpha6 (not an official CPE) Drupal Drupal 8.0.0 Alpha9 (not an official CPE) Drupal Drupal 8.0.0 Beta10 (not an official CPE) Drupal Drupal 8.0.0 Alpha4 (not an official CPE) Drupal Drupal 8.0.0 Alpha2 (not an official CPE) Drupal Drupal 8.0.0 Alpha5 (not an official CPE) Drupal Drupal 8.1.6 (not an official CPE) Drupal Drupal 8.0.0 Alpha3 (not an official CPE) Drupal Drupal 8.0.0 Beta9 (not an official CPE) Drupal Drupal 8.0.0 Beta12 (not an official CPE) Drupal Drupal 8.0.0 Beta13 (not an official CPE) Drupal Drupal 8.0.0 Alpha7 (not an official CPE) Drupal Drupal 8.0.0 Beta16 (not an official CPE) Drupal Drupal 8.0.0 Beta11 (not an official CPE) Drupal Drupal 8.0.0 Beta14 (not an official CPE) Drupal Drupal 8.0.0 Beta15 (not an official CPE) Drupal Drupal 8.0.0 Alpha14 (not an official CPE) Drupal Drupal 8.0.0 Rc2 (not an official CPE) Drupal Drupal 8.2.0 Rc1 (not an official CPE) Drupal Drupal 8.2.0 Rc2 (not an official CPE) Drupal Drupal 8.1.0 Beta2 (not an official CPE) Drupal Drupal 8.2.0 (not an official CPE) Drupal Drupal 8.0.2 (not an official CPE) Drupal Drupal 8.1.0 Beta1 (not an official CPE) Drupal Drupal 8.0.0 Rc3 (not an official CPE) Drupal Drupal 8.0.1 (not an official CPE) Drupal Drupal 8.0.0 (not an official CPE) Drupal Drupal 8.0.0 Rc4 (not an official CPE) Drupal Drupal 8.0.0 Rc1 (not an official CPE) Drupal Drupal 8.0.0 Alpha13 (not an official CPE) Drupal Drupal 8.0.0 Alpha15 (not an official CPE) Drupal Drupal 8.2.1 (not an official CPE) Drupal Drupal 8.0.3 (not an official CPE) Drupal Drupal 8.0.6 (not an official CPE) Drupal Drupal 8.0.5 (not an official CPE) Drupal Drupal 8.2.2 (not an official CPE) Drupal Drupal 8.0.4 (not an official CPE) Drupal Drupal 8.0.0 Alpha12 (not an official CPE) Drupal Drupal 8.0.0 Alpha11 (not an official CPE) Drupal Drupal 8.0.0 Alpha10 (not an official CPE)
Advisory Patch Confirmed Link
https://www.drupal.org/SA-CORE-2016-005
94367