CVE-2024-13241
Published: 09 January 2025
Summary
CVE-2024-13241 is a critical-severity Improper Authorization (CWE-285) vulnerability in Getopensocial Open Social. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-13241 is an improper authorization vulnerability in the Drupal Open Social distribution that allows attackers to collect data from common resource locations. It affects all versions of Open Social from 0.0.0 up to but not including 12.0.5. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity with no privileges or user interaction required.
Remote attackers with network access can exploit this vulnerability without authentication, as it requires low complexity and no special privileges. Successful exploitation enables unauthorized data collection from common resource locations, potentially leading to high confidentiality and integrity violations, such as accessing sensitive information or modifying data without proper authorization.
The Drupal Security Advisory at https://www.drupal.org/sa-contrib-2024-005 provides details on the issue. Mitigation involves updating to Open Social version 12.0.5 or later, which resolves the improper authorization flaw.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51455
Vulnerability details
Improper Authorization vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.0.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization in public-facing Drupal app directly enables remote unauthenticated exploitation (T1190) and unauthorized collection from resource locations (T1213).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 enforces approved authorizations for access to resources, directly mitigating the improper authorization vulnerability allowing unauthenticated data collection from common resource locations in Drupal Open Social.
AC-22 controls and reviews publicly accessible content to prevent unauthorized data collection from common resource locations exposed by the vulnerability.
SI-2 mandates timely remediation of the specific improper authorization flaw, as addressed by updating to Open Social 12.0.5.