CVE-2024-13259

High

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0039 59.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Insertion of Sensitive Information Into Sent Data vulnerability in Drupal Image Sizes allows Forceful Browsing.This issue affects Image Sizes: from 0.0.0 before 3.0.2.

Security Summary

CVE-2024-13259 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the Drupal Image Sizes module. This issue affects all versions of the module from 0.0.0 before 3.0.2 and enables forceful browsing, where sensitive data is exposed in responses due to improper handling.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required. Attackers can achieve high-impact confidentiality violations by forcefully browsing to certain endpoints, resulting in the disclosure of sensitive information sent by the application.

The Drupal security advisory SA-CONTRIB-2024-023 at https://www.drupal.org/sa-contrib-2024-023 provides details on the vulnerability and recommends updating the Image Sizes module to version 3.0.2 or later as the primary mitigation.

Details

CWE(s): CWE-201NVD-CWE-Other

Affected Products

image sizes project

image sizes

≤ 3.0.2

References

https://www.drupal.org/sa-contrib-2024-023
Vendor Advisory · mlhess@drupal.org