CVE-2024-13253

Critical

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0039 59.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect Authorization vulnerability in Drupal Advanced PWA inc Push Notifications allows Forceful Browsing.This issue affects Advanced PWA inc Push Notifications: from 0.0.0 before 1.5.0.

Security Summary

CVE-2024-13253 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Advanced PWA inc Push Notifications module that allows Forceful Browsing. This issue affects all versions of the module from 0.0.0 before 1.5.0. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites like privileges or user interaction.

Remote, unauthenticated attackers can exploit this vulnerability over the network by engaging in forceful browsing. Successful exploitation enables high-impact disruption to integrity and availability, such as unauthorized modifications or denial of service, while confidentiality remains unaffected.

The Drupal security advisory SA-CONTRIB-2024-017 details the vulnerability and recommends upgrading to version 1.5.0 or later of the Advanced PWA inc Push Notifications module as the primary mitigation.

Details

CWE(s): CWE-863

Affected Products

advanced pwa inc push notifications project

advanced pwa inc push notifications

≤ 8.x-1.5

References

https://www.drupal.org/sa-contrib-2024-017
Vendor Advisory · mlhess@drupal.org