CVE-2024-13278
Published: 09 January 2025
Description
Adversaries may leverage information repositories to mine valuable information.
Security Summary
CVE-2024-13278 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Diff module that allows Functionality Misuse. It affects all versions of the Diff module from 0.0.0 before 1.8.0. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its potential for high confidentiality and integrity impacts.
Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables functionality misuse, potentially allowing unauthorized access to sensitive data or modifications that compromise the integrity of Drupal sites using the affected Diff module.
The Drupal security advisory SA-CONTRIB-2024-042 at https://www.drupal.org/sa-contrib-2024-042 recommends upgrading to Diff module version 1.8.0 as the primary mitigation. No additional workarounds are specified in available details.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Incorrect authorization in Drupal Diff module enables access bypass for rendering diff reports on restricted revisions of nodes/entities, facilitating unauthorized collection of data from Drupal content repositories.