CVE-2024-13311

High

Published: 09 January 2025

Published

09 January 2025

Modified

02 September 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0025 48.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

Security Summary

CVE-2024-13311 is a vulnerability in the Drupal module "Allow All File Extensions for file fields." This issue affects Allow All File Extensions for file fields: *.*.

The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N). An attacker with low privileges can exploit it over the network with low attack complexity, but it requires user interaction. Successful exploitation enables high impacts on confidentiality and integrity, with no availability impact.

Mitigation details are provided in the Drupal security advisory SA-CONTRIB-2024-075 at https://www.drupal.org/sa-contrib-2024-075.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

allow all file extensions for file fields project

allow all file extensions for file fields

all versions

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The Drupal module vulnerability allows arbitrary file extensions in uploads, enabling exploitation of public-facing web applications (T1190) and facilitating web shell deployment (T1100).

References

https://www.drupal.org/sa-contrib-2024-075
Third Party Advisory · mlhess@drupal.org