Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-45440

core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.

Published

2024-08-29T11:15:27.083

Last Modified

2025-04-21T15:15:58.527

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

Weaknesses

Type: Primary
CWE-209
Type: Secondary
CWE-209

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	drupal	drupal	2023-05-09	Yes

References

https://senscybersecurity.nl/CVE-2024-45440-Explained/ Third Party Advisory ([email protected])
https://www.drupal.org/project/drupal/issues/3457781 Vendor Advisory ([email protected])
https://www.exploit-db.com/exploits/52266 (af854a3a-2127-422b-91ae-364da2661108)