Skip to content

Drupal Full Path Disclosure

Low severity GitHub Reviewed Published Aug 29, 2024 to the GitHub Advisory Database • Updated Sep 3, 2024

Package

composer drupal/core (Composer)

Affected versions

= 11.x-dev

Patched versions

None
composer drupal/core-recommended (Composer)
= 11.x-dev
None
composer drupal/drupal (Composer)
= 11.x-dev
None

Description

core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.

References

Published by the National Vulnerability Database Aug 29, 2024
Published to the GitHub Advisory Database Aug 29, 2024
Reviewed Aug 29, 2024
Last updated Sep 3, 2024

Severity

Low

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2024-45440

GHSA ID

GHSA-mg8j-w93w-xjgc

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.