NewsSecurity Vulnerabilities

Drupal Full Path Disclosure Vulnerability [CVE-2024-45440]

CVE number = CVE-2024-45440

core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.

After installing the Drupal application the developer can change the hash_salt variable on line 268 in the /sites/default/settings.php file.

Further details = https://www.drupal.org/project/drupal/issues/3457781

Luke Simmonds

Blogger at www.systemtek.co.uk

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.