CVE-2024-13244

CVE-2024-13244 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the Drupal Migrate Tools module. This flaw impacts all versions from 0.0.0 up to but not including 6.0.3. The vulnerability enables attackers to forge requests on behalf of authenticated users interacting with Drupal sites using the affected module, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, no privileges required, and high impacts across confidentiality, integrity, and availability.

Exploitation requires an attacker to trick an authenticated Drupal user into performing a specific action, such as visiting a malicious webpage or clicking a crafted link, which submits a forged request to the vulnerable Migrate Tools endpoint. No authentication is needed by the attacker, making it feasible for remote actors targeting users of affected sites. Successful exploitation allows the attacker to execute unauthorized actions with the victim's privileges, potentially leading to high-impact outcomes like data modification, deletion, or exposure.

The official Drupal security advisory SA-CONTRIB-2024-008 details the issue and recommends upgrading to Migrate Tools version 6.0.3 or later, where the vulnerability has been patched. Site administrators should review installed modules, apply the update promptly, and consider enabling Drupal's built-in CSRF protections as a general best practice. Additional details are available at https://www.drupal.org/sa-contrib-2024-008.