CVE-2024-13282
Published: 09 January 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2024-13282 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Block permissions module that allows forceful browsing. The issue affects Block permissions versions from 1.0.0 up to but not including 1.2.0.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with unchanged scope and high impacts on confidentiality, integrity, and availability. Unauthenticated attackers can exploit it remotely by bypassing authorization checks through direct URL access, potentially leading to unauthorized data access, modification, or disruption.
The Drupal security advisory at https://www.drupal.org/sa-contrib-2024-046 details the vulnerability. Mitigation requires upgrading the Block permissions module to version 1.2.0 or later.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The incorrect authorization vulnerability enables users with 'administer blocks provided by [provider]' permission to bypass theme-specific block management restrictions via forceful browsing to the add block route, facilitating privilege escalation by allowing unauthorized block placement.