CVE-2024-13291

CVE-2024-13291 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Basic HTTP Authentication module that enables forceful browsing. It affects versions from 7.x-1.0 up to but not including 7.x-1.4. The vulnerability has a CVSS v3.1 base score of 7.3 (High), with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network-accessible exploitation with low attack complexity, no privileges or user interaction required, and low impacts across confidentiality, integrity, and availability.

Remote, unauthenticated attackers can exploit this issue by bypassing authorization checks, performing forceful browsing to access unauthorized resources. Successful exploitation requires only network access to the affected Drupal site using the vulnerable module, allowing limited disruption or data exposure aligned with the low impact ratings.

The official Drupal Security Advisory (SA-CONTRIB-2024-057) at https://www.drupal.org/sa-contrib-2024-057 provides details on mitigation, including an update to Basic HTTP Authentication version 7.x-1.4 or later to address the authorization flaw. Security practitioners should verify installations and apply the patch promptly.