CVE-2024-13255

High

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0018 39.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Exposure of Sensitive Information Through Data Queries vulnerability in Drupal RESTful Web Services allows Forceful Browsing.This issue affects RESTful Web Services: from 7.X-2.0 before 7.X-2.10.

Security Summary

CVE-2024-13255 is an Exposure of Sensitive Information Through Data Queries vulnerability in the Drupal RESTful Web Services module, enabling forceful browsing. This issue affects RESTful Web Services versions from 7.X-2.0 before 7.X-2.10. The vulnerability is classified under CWE-202 and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no effect on integrity or availability.

Remote attackers require only network access and can exploit the vulnerability without privileges or user interaction due to its low attack complexity. Successful exploitation allows disclosure of sensitive information through crafted data queries targeting the RESTful endpoints.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2024-019 details mitigation steps, with the issue resolved in RESTful Web Services version 7.X-2.10. Site administrators should update to this or later versions to address the vulnerability.

Details

CWE(s): CWE-202NVD-CWE-Other

Affected Products

restful web services project

restful web services

7.x-2.0 — 7.x-2.10

References

https://www.drupal.org/sa-contrib-2024-019
Vendor Advisory · mlhess@drupal.org