CVE-2024-13241

Critical

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0032 54.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Authorization vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.0.5.

Security Summary

CVE-2024-13241 is an improper authorization vulnerability in the Drupal Open Social distribution that allows attackers to collect data from common resource locations. It affects all versions of Open Social from 0.0.0 up to but not including 12.0.5. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity with no privileges or user interaction required.

Remote attackers with network access can exploit this vulnerability without authentication, as it requires low complexity and no special privileges. Successful exploitation enables unauthorized data collection from common resource locations, potentially leading to high confidentiality and integrity violations, such as accessing sensitive information or modifying data without proper authorization.

The Drupal Security Advisory at https://www.drupal.org/sa-contrib-2024-005 provides details on the issue. Mitigation involves updating to Open Social version 12.0.5 or later, which resolves the improper authorization flaw.

Details

CWE(s): CWE-285NVD-CWE-noinfo

Affected Products

getopensocial

open social

≤ 12.0.5

References

https://www.drupal.org/sa-contrib-2024-005
Vendor Advisory · mlhess@drupal.org