CVE-2024-13251

High

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0034 57.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect Privilege Assignment vulnerability in Drupal Registration role allows Privilege Escalation.This issue affects Registration role: from 0.0.0 before 2.0.1.

Security Summary

CVE-2024-13251 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Drupal Registration role module that allows privilege escalation. The issue affects the Registration role module from version 0.0.0 before 2.0.1. Published on January 9, 2025, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables privilege escalation, granting high-level access that compromises confidentiality, integrity, and availability of the affected Drupal instance.

The Drupal security advisory SA-CONTRIB-2024-015 details the vulnerability and mitigation steps, available at https://www.drupal.org/sa-contrib-2024-015. Administrators should upgrade the Registration role module to version 2.0.1 or later to remediate the issue.

Details

CWE(s): CWE-266NVD-CWE-Other

Affected Products

registration role project

registration role

≤ 2.0.1

References

https://www.drupal.org/sa-contrib-2024-015
Vendor Advisory · mlhess@drupal.org