CVE-2024-13284

High

Published: 09 January 2025

Published

09 January 2025

Modified

02 September 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-13284 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Drupal Gutenberg module. This issue affects all versions of the Gutenberg module from 0.0.0 before 2.13.0, as well as versions from 3.0.0 before 3.0.5. The vulnerability was published on 2025-01-09 and carries a CVSS v3.1 base score of 8.8 (High).

The vulnerability can be exploited remotely (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R) and resulting in unchanged scope (S:U). An attacker can trick an authenticated user into performing unintended actions on a Drupal site with the Gutenberg module enabled, potentially achieving high impacts on confidentiality (C:H), integrity (I:H), and availability (A:H).

Drupal's security advisory SA-CONTRIB-2024-048, available at https://www.drupal.org/sa-contrib-2024-048, provides details on the vulnerability.

Details

CWE(s): CWE-352

Affected Products

drupalgutenberg

gutenberg

≤ 2.13.0 · 3.0.0 — 3.0.5

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CSRF vulnerability in Drupal Gutenberg module enables exploitation of public-facing web application to perform unauthorized state-changing actions on behalf of tricked authenticated users with 'use gutenberg' permission.

References

https://www.drupal.org/sa-contrib-2024-048
Third Party Advisory · mlhess@drupal.org