CVE-2024-13240
Published: 09 January 2025
Summary
CVE-2024-13240 is a high-severity Improper Access Control (CWE-284) vulnerability in Getopensocial Open Social. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 36.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Deeper analysis
CVE-2024-13240 is an improper access control vulnerability (CWE-284) in the Drupal Open Social module that allows attackers to collect data from common resource locations. This issue affects Open Social versions from 0.0.0 up to but not including 12.05.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), meaning unauthenticated remote attackers can exploit it over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact unauthorized access to confidential data without affecting integrity or availability.
The Drupal security advisory SA-CONTRIB-2024-004 at https://www.drupal.org/sa-contrib-2024-004 provides further details on the vulnerability and mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51454
Vulnerability details
Improper Access Control vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.05.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control in public-facing Drupal module directly enables unauthenticated collection of data from local/common resource paths (T1005) via exploitation of the web app (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access to information and system resources in shared locations, directly mitigating the improper access control vulnerability allowing unauthorized data collection.
Identifies, prioritizes, and corrects flaws like CVE-2024-13240 in the Drupal Open Social module through timely patching to version 12.05 or later.
Enforces authorizations and verifies communications on publicly accessible Drupal interfaces to prevent unauthenticated remote access to confidential data from common resource locations.