CVE-2024-13240

High

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0033 55.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Access Control vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.05.

Security Summary

CVE-2024-13240 is an improper access control vulnerability (CWE-284) in the Drupal Open Social module that allows attackers to collect data from common resource locations. This issue affects Open Social versions from 0.0.0 up to but not including 12.05.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), meaning unauthenticated remote attackers can exploit it over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact unauthorized access to confidential data without affecting integrity or availability.

The Drupal security advisory SA-CONTRIB-2024-004 at https://www.drupal.org/sa-contrib-2024-004 provides further details on the vulnerability and mitigation steps.

Details

CWE(s): CWE-284NVD-CWE-noinfo

Affected Products

getopensocial

open social

10.0.0 — 12.0.5

References

https://www.drupal.org/sa-contrib-2024-004
Vendor Advisory · mlhess@drupal.org