CVE-2024-13242
Published: 09 January 2025
Summary
CVE-2024-13242 is a critical-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Swift Mailer Project Swift Mailer. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13242 is an Exposed Dangerous Method or Function vulnerability in the Swift Mailer module for Drupal, enabling Resource Location Spoofing. This issue affects all versions of Swift Mailer (*.*). The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality and integrity.
Unauthenticated attackers on the network can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. Successful exploitation allows attackers to spoof resource locations, potentially leading to high confidentiality and integrity impacts, such as unauthorized access to sensitive data or manipulation of resources, while availability remains unaffected.
The Drupal security advisory SA-CONTRIB-2024-006 at https://www.drupal.org/sa-contrib-2024-006 provides details on this vulnerability and mitigation recommendations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51456
Vulnerability details
Exposed Dangerous Method or Function vulnerability in Drupal Swift Mailer allows Resource Location Spoofing.This issue affects Swift Mailer: *.*.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Exposed dangerous method in public-facing Drupal Swift Mailer module directly enables remote unauthenticated exploitation (T1190) for resource location spoofing with high C/I impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the exposed dangerous method vulnerability in Swift Mailer by applying the patch from Drupal SA-CONTRIB-2024-006.
Enforces access controls to prevent unauthenticated attackers from invoking the dangerous method enabling resource location spoofing.
Validates inputs to Swift Mailer functions to mitigate resource location spoofing attempts.