CVE-2024-13258

CVE-2024-13258 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal REST & JSON API Authentication contrib module, which allows forceful browsing past authorization checks. The issue affects all versions of the module from 0.0.0 before 2.0.13. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Remote, unauthenticated attackers can exploit the vulnerability by sending crafted requests to REST and JSON API endpoints, bypassing authorization controls. This enables them to access, modify, or delete sensitive data and resources without permission, resulting in high impacts on confidentiality, integrity, and availability, potentially leading to complete site compromise.

The Drupal security advisory SA-CONTRIB-2024-022, published on 2025-01-09, documents the vulnerability and recommends updating the Drupal REST & JSON API Authentication module to version 2.0.13 or later as the primary mitigation.