CVE-2024-13254

High

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0039 59.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Insertion of Sensitive Information Into Sent Data vulnerability in Drupal REST Views allows Forceful Browsing.This issue affects REST Views: from 0.0.0 before 3.0.1.

Security Summary

CVE-2024-13254 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the Drupal REST Views module, which allows forceful browsing. This issue affects REST Views versions from 0.0.0 before 3.0.1. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high severity primarily due to its potential for high confidentiality impact over the network.

An unauthenticated remote attacker can exploit this vulnerability with low attack complexity and no user interaction. By performing forceful browsing on REST Views endpoints, the attacker can access sensitive information that is improperly included in sent data.

The Drupal security advisory SA-CONTRIB-2024-018 addresses this issue and recommends updating to REST Views version 3.0.1 or later for mitigation.

Details

CWE(s): CWE-201NVD-CWE-Other

Affected Products

rest views project

rest views

≤ 3.0.1

References

https://www.drupal.org/sa-contrib-2024-018
Vendor Advisory · mlhess@drupal.org