Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-45440

CWE-209CWE-4977 documents6 sources
Severity
5.3MEDIUM
EPSS
87.2%
top 0.55%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
4
Drupal CoreDrupal Core-recommendedDrupal Drupal+1 more
Timeline
PublishedAug 29
Latest updateApr 19

Description

core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

Packagistdrupal/core10.3.010.3.6+2
Packagistdrupal/core-recommended10.3.010.3.6+2
CVEListV5drupal/drupal_corev11.x-dev
Packagistdrupal/drupal10.3.010.3.6+2
NVDdrupal/drupal2023-05-09

🔴Vulnerability Details

4
OSV
CVE-2024-45440: core/authorize2024-08-29
CVEList
CVE-2024-45440: core/authorize2024-08-29
GHSA
Drupal Full Path Disclosure2024-08-29
OSV
Drupal Full Path Disclosure2024-08-29

💥Exploits & PoCs

2
Exploit-DB
Drupal 11.x-dev - Full Path Disclosure2025-04-19
Nuclei
Drupal 11.x-dev - Full Path Disclosure
CVE-2024-45440 (MEDIUM CVSS 5.3) | core/authorize.php in Drupal 11.x-d | cvebase.io