Date
Severity
Moderately Critical
Vulnerability
Username Enumeration via Password Reset Flood Control Bypass
Affected versions
<7.x-1.4
Description
The Username Enumeration Prevention module helps protect Drupal 7 sites against username enumeration attacks by providing consistent error messages during login and password reset attempts. However, the password validation function lacked flood control protection, allowing attackers to potentially bypass username enumeration prevention through rapid password reset requests.
This security enhancement backports flood control functionality from Drupal core to limit the number of password recovery requests from a single IP address, preventing abuse that could be used to enumerate valid usernames.
Solution
Upgrade to Username Enumeration Prevention 7.x-1.4 or later.
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES