GHSA-mg8j-w93w-xjgc
GitHub Security Advisory
Drupal Full Path Disclosure
✓ GitHub Reviewed
MODERATE
Has CVE
Advisory Details
`core/authorize.php` in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of `hash_salt` is `file_get_contents` of a file that does not exist.
Affected Packages
Packagist
drupal/drupal
Affected versions:
10.3.0
(fixed in 10.3.6)
Packagist
drupal/drupal
Affected versions:
11.0.0
(fixed in 11.0.5)
Packagist
drupal/core-recommended
Affected versions:
10.3.0
(fixed in 10.3.6)
Packagist
drupal/core-recommended
Affected versions:
11.0.0
(fixed in 11.0.5)
Packagist
drupal/core
Affected versions:
10.3.0
(fixed in 10.3.6)
Packagist
drupal/core
Affected versions:
11.0.0
(fixed in 11.0.5)
Packagist
drupal/drupal
Affected versions:
8.0.0
(fixed in 10.2.9)
Packagist
drupal/core-recommended
Affected versions:
8.0.0
(fixed in 10.2.9)
Packagist
drupal/core
Affected versions:
8.0.0
(fixed in 10.2.9)
Related CVEs
Key Information
5.0
/10
Dataset
Last updated: June 18, 2025 6:25 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.