Cache Poisoning Affecting drupal/core package, versions >=8, <8.2.3


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.14% (51st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-DRUPALCORE-70054
  • published16 Nov 2016
  • disclosed16 Nov 2016
  • creditCharlotte Bone

Introduced: 16 Nov 2016

CVE-2016-9450  (opens in a new tab)
CWE-444  (opens in a new tab)

How to fix?

Upgrade drupal/core to version 8.2.3 or higher.

Overview

Affected versions of drupal/core are vulnerable to Cache Poisoning.

The user password reset form does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page.

CVSS Scores

version 3.1