CVE-2024-45440

MEDIUM NUCLEI LAB

Drupal 11.x-dev - Info Disclosure

Title source: llm

Description

core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.

Exploits (3)

exploitdb SCANNER

by Milad karimi · pythonwebappsphp

https://www.exploit-db.com/exploits/52266

View Code ZIP pw:eip

nomisec SCANNER 2 stars

by w0r1i0g1ht · poc

https://github.com/w0r1i0g1ht/CVE-2024-45440

View Code ZIP pw:eip

nomisec SCANNER

by zoomdbz · poc

https://github.com/zoomdbz/CVE-2024-45440

View Code ZIP pw:eip

Nuclei Templates (1)

Drupal 11.x-dev - Full Path Disclosure

MEDIUMVERIFIEDby DhiyaneshDK

Shodan: http.component:"drupal" || cpe:"cpe:2.3:a:drupal:drupal"

References (3)

[Third Party Advisory] https://senscybersecurity.nl/CVE-2024-45440-Explained/

[Vendor Advisory] https://www.drupal.org/project/drupal/issues/3457781

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/52266

Scores

CVSS v3 5.3

EPSS 0.8723

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull drupal:10.1.8

https://github.com/w0r1i0g1ht/CVE-2024-45440

https://github.com/zoomdbz/CVE-2024-45440

View in Library

Details

CWE

CWE-209

Status published

Products (4)

drupal/core 10.3.0 - 10.3.6Packagist

drupal/core-recommended 10.3.0 - 10.3.6Packagist

drupal/drupal 2023-05-09

drupal/drupal 10.3.0 - 10.3.6Packagist

Published Aug 29, 2024

Tracked Since Feb 18, 2026