CVE-2024-45440

medium

Description

core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.

References

https://www.drupal.org/project/drupal/issues/3457781

https://senscybersecurity.nl/CVE-2024-45440-Explained/

Details

Source: Mitre, NVD

Published: 2024-08-29

Updated: 2024-10-28

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N