Cyber Resilience

CVE-2024-13240

High

Published: 09 January 2025

Published
09 January 2025
Modified
04 June 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0045 63.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13240 is a high-severity Improper Access Control (CWE-284) vulnerability in Getopensocial Open Social. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 36.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2024-13240 is an improper access control vulnerability (CWE-284) in the Drupal Open Social module that allows attackers to collect data from common resource locations. This issue affects Open Social versions from 0.0.0 up to but not including 12.05.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), meaning unauthenticated remote attackers can exploit it over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact unauthorized access to confidential data without affecting integrity or availability.

The Drupal security advisory SA-CONTRIB-2024-004 at https://www.drupal.org/sa-contrib-2024-004 provides further details on the vulnerability and mitigation steps.

EU & UK References

Vulnerability details

Improper Access Control vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.05.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper access control in public-facing Drupal module directly enables unauthenticated collection of data from local/common resource paths (T1005) via exploitation of the web app (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-31686Same product: Getopensocial Open Social
CVE-2025-31685Same product: Getopensocial Open Social
CVE-2024-13241Same product: Getopensocial Open Social
CVE-2024-55019Shared CWE-284
CVE-2026-35231Shared CWE-284
CVE-2026-39339Shared CWE-284
CVE-2026-28855Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284
CVE-2026-28965Shared CWE-284

Affected Assets

getopensocial
open social
10.0.0 — 12.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information and system resources in shared locations, directly mitigating the improper access control vulnerability allowing unauthorized data collection.

prevent

Identifies, prioritizes, and corrects flaws like CVE-2024-13240 in the Drupal Open Social module through timely patching to version 12.05 or later.

prevent

Enforces authorizations and verifies communications on publicly accessible Drupal interfaces to prevent unauthenticated remote access to confidential data from common resource locations.

References