Cyber Resilience

CVE-2024-13241

Critical

Published: 09 January 2025

Published
09 January 2025
Modified
04 June 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0043 62.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13241 is a critical-severity Improper Authorization (CWE-285) vulnerability in Getopensocial Open Social. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-13241 is an improper authorization vulnerability in the Drupal Open Social distribution that allows attackers to collect data from common resource locations. It affects all versions of Open Social from 0.0.0 up to but not including 12.0.5. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity with no privileges or user interaction required.

Remote attackers with network access can exploit this vulnerability without authentication, as it requires low complexity and no special privileges. Successful exploitation enables unauthorized data collection from common resource locations, potentially leading to high confidentiality and integrity violations, such as accessing sensitive information or modifying data without proper authorization.

The Drupal Security Advisory at https://www.drupal.org/sa-contrib-2024-005 provides details on the issue. Mitigation involves updating to Open Social version 12.0.5 or later, which resolves the improper authorization flaw.

EU & UK References

Vulnerability details

Improper Authorization vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.0.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

Improper authorization in public-facing Drupal app directly enables remote unauthenticated exploitation (T1190) and unauthorized collection from resource locations (T1213).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-31685Same product: Getopensocial Open Social
CVE-2025-31686Same product: Getopensocial Open Social
CVE-2024-13240Same product: Getopensocial Open Social
CVE-2026-43912Shared CWE-285
CVE-2026-25809Shared CWE-285
CVE-2026-32252Shared CWE-285
CVE-2026-30702Shared CWE-285
CVE-2026-40246Shared CWE-285
CVE-2023-53895Shared CWE-285
CVE-2026-28448Shared CWE-285

Affected Assets

getopensocial
open social
≤ 12.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to resources, directly mitigating the improper authorization vulnerability allowing unauthenticated data collection from common resource locations in Drupal Open Social.

prevent

AC-22 controls and reviews publicly accessible content to prevent unauthorized data collection from common resource locations exposed by the vulnerability.

prevent

SI-2 mandates timely remediation of the specific improper authorization flaw, as addressed by updating to Open Social 12.0.5.

References