CVE-2024-13260

CVE-2024-13260 is a Cross-Site Request Forgery (CSRF) vulnerability in the Drupal Migrate queue importer module. This issue affects all versions of the module from 0.0.0 up to but not including 2.1.1. The vulnerability, mapped to CWE-352, enables attackers to perform unauthorized actions by forging requests on behalf of authenticated users.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no required privileges, and the need for user interaction with no change in scope. An attacker can exploit it by enticing a logged-in Drupal user to visit a malicious webpage, which submits forged requests to the vulnerable importer endpoint. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, such as unauthorized data import, modification, or deletion.

The official Drupal Security Advisory SA-CONTRIB-2024-024, available at https://www.drupal.org/sa-contrib-2024-024, details the vulnerability and mitigation steps. Administrators should upgrade the Migrate queue importer module to version 2.1.1 or later to address the issue.