CVE-2024-13276

High

Published: 09 January 2025

Published

09 January 2025

Modified

02 September 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0019 41.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques.

Security Summary

CVE-2024-13276 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the Drupal File Entity (fieldable files) module, enabling forceful browsing. It affects File Entity versions 7.x before 7.x-2.39. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from remote exploitation.

Remote unauthenticated attackers can exploit this issue over the network with low attack complexity and no user interaction. Exploitation allows attackers to conduct forceful browsing, resulting in the disclosure of sensitive information included in sent data.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2024-040 details the vulnerability. Mitigation involves upgrading to File Entity version 7.x-2.39 or later.

Details

CWE(s): CWE-201

Affected Products

file entity project

file entity

≤ 7.x-2.39

MITRE ATT&CK Enterprise Techniques

T1595.003 Wordlist Scanning Reconnaissance

Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques.

attack.mitre.org →

Why these techniques?

The vulnerability misplaces private files into publicly accessible directories, enabling forceful browsing via wordlist scanning to discover and access sensitive information without authentication.

References

https://www.drupal.org/sa-contrib-2024-040
Third Party Advisory · mlhess@drupal.org