| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
| Exploit for Generation of Error Message Containing Sensitive Information in Drupal | 10 Feb 202616:18 | โ | githubexploit | |
| The vulnerability of the /core/authorize.php file in the Drupal CMS system allows a hacker to disclose protected information. | 3 Oct 202400:00 | โ | bdu_fstec | |
| CVE-2024-45440 | 29 Aug 202413:42 | โ | circl | |
| Drupal ๅฎๅ จๆผๆด | 29 Aug 202400:00 | โ | cnnvd | |
| CVE-2024-45440 | 29 Aug 202400:00 | โ | cve | |
| CVE-2024-45440 | 29 Aug 202400:00 | โ | cvelist | |
| Drupal 11.x-dev - Full Path Disclosure | 19 Apr 202500:00 | โ | exploitdb | |
| Drupal Full Path Disclosure | 29 Aug 202412:31 | โ | github | |
| CVE-2024-45440 | 29 Aug 202411:15 | โ | nvd | |
| Drupal Information Disclosure Vulnerability (GHSA-mg8j-w93w-xjgc) - Linux - Version Check | 3 Feb 202500:00 | โ | openvas |
id: CVE-2024-45440
info:
name: Drupal 11.x-dev - Full Path Disclosure
author: DhiyaneshDK
severity: medium
description: |
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
impact: |
Attackers can obtain full path disclosure information even when error logging is disabled.
remediation: |
Configure hash_salt properly and ensure it references an existing file, or update to a patched Drupal version.
reference:
- https://senscybersecurity.nl/CVE-2024-45440-Explained/
- https://nvd.nist.gov/vuln/detail/CVE-2024-45440
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2024-45440
cwe-id: CWE-209
epss-score: 0.09269
epss-percentile: 0.94752
cpe: cpe:2.3:a:drupal:drupal:2023-05-09:*:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
vendor: drupal
product: drupal
shodan-query:
- http.component:"drupal"
- cpe:"cpe:2.3:a:drupal:drupal"
tags: cve,cve2024,drupal,exposure,error,vuln
http:
- method: GET
path:
- "{{BaseURL}}/core/authorize.php"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "getHashSalt"
- "RuntimeException"
condition: and
- type: status
status:
- 200
# digest: 490a00463044022077d6baebdcc5c3b475fce553bbd6d4bc33a57d5fc63ef0ad4e9b598d3a4c58060220589dcde02d67a37033d65658fdb3942eaeb634c189e05eec175045a9ac09493a:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation