← back
CVE-2024-45440

CVE-2024-45440

CVSS 5.3 MEDIUMEPSS 9.3%CWE-209
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
Drupal · Drupal core
public PoCs found3
githubgithub.com/w0r1i0g1ht/CVE-2024-454402githubgithub.com/zoomdbz/CVE-2024-454401cve_referencewww.exploit-db.com/exploits/52266unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://senscybersecurity.nl/CVE-2024-45440-Explained/https://www.drupal.org/project/drupal/issues/3457781https://www.exploit-db.com/exploits/52266