CVE-2015-2559 Information

Description

Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.

Reference

http://www.debian.org/security/2015/dsa-3200 http://www.securityfocus.com/bid/73219 https://www.drupal.org/SA-CORE-2015-001