Cyber Posture

CVE-2024-13267

High

Published: 09 January 2025

Published
09 January 2025
Modified
27 August 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-13267 is an Improper Neutralization of Directives in Statically Saved Code vulnerability, classified as Static Code Injection (CWE-96), in the Drupal Opigno TinCan Question Type module. This flaw allows PHP Local File Inclusion and affects versions from 7.X-1.0 up to but not including 7.X-1.3.

With a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited by an attacker possessing low privileges over the network. Exploitation requires high attack complexity but no user interaction, enabling high-impact compromise of confidentiality, integrity, and availability via PHP Local File Inclusion.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2024-031 details the issue. Mitigation requires updating the Opigno TinCan Question Type module to version 7.X-1.3 or later.

Details

CWE(s)
CWE-96

Affected Products

opigno
tincan question type
7.x-1.0 — 7.x-1.3

MITRE ATT&CK Enterprise Techniques

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Vulnerability enables arbitrary PHP code execution via file upload in Drupal web application, facilitating web shell deployment (T1100) and exploitation of public-facing applications (T1190).

References