CVE-2024-13281

Critical

Published: 09 January 2025

Published

09 January 2025

Modified

02 September 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0016 37.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-13281 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Monster Menus module that allows forceful browsing. It affects all versions of Monster Menus from 0.0.0 before 9.3.2.

The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating network accessibility, low attack complexity, no required privileges or user interaction, and unchanged scope. Remote unauthenticated attackers can exploit it to achieve high impacts on confidentiality and integrity, with no availability disruption.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2024-045 details the issue, and mitigation requires updating Monster Menus to version 9.3.2 or later.

Details

CWE(s): CWE-863

Affected Products

monster menus project

monster menus

≤ 7.x-1.34 · 9.3.0 — 9.3.2

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Incorrect authorization vulnerability (CVE-2024-13281) in Drupal Monster Menus enables forceful browsing and access bypass for information disclosure, facilitating exploitation of a public-facing web application.

References

https://www.drupal.org/sa-contrib-2024-045
Third Party Advisory · mlhess@drupal.org