CVE-2024-13256

High

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0030 53.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Insufficient Granularity of Access Control vulnerability in Drupal Email Contact allows Forceful Browsing.This issue affects Email Contact: from 0.0.0 before 2.0.4.

Security Summary

CVE-2024-13256 is an Insufficient Granularity of Access Control vulnerability in the Drupal Email Contact module that allows Forceful Browsing. This issue affects Email Contact versions from 0.0.0 before 2.0.4.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating it is exploitable over the network with low complexity, no privileges, and no user interaction required. Unauthenticated remote attackers can perform forceful browsing to bypass access controls, resulting in high integrity impact such as unauthorized modifications.

The Drupal security advisory SA-CONTRIB-2024-020 at https://www.drupal.org/sa-contrib-2024-020 provides details on mitigation, with the issue resolved in Email Contact version 2.0.4.

Details

CWE(s): CWE-1220NVD-CWE-Other

Affected Products

email contact project

email contact

≤ 2.0.4

References

https://www.drupal.org/sa-contrib-2024-020
Vendor Advisory · mlhess@drupal.org