CVE-2024-13244
Published: 09 January 2025
Summary
CVE-2024-13244 is a high-severity CSRF (CWE-352) vulnerability in Migrate Tools Project Migrate Tools. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-13244 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the Drupal Migrate Tools module. This flaw impacts all versions from 0.0.0 up to but not including 6.0.3. The vulnerability enables attackers to forge requests on behalf of authenticated users interacting with Drupal sites using the affected module, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, no privileges required, and high impacts across confidentiality, integrity, and availability.
Exploitation requires an attacker to trick an authenticated Drupal user into performing a specific action, such as visiting a malicious webpage or clicking a crafted link, which submits a forged request to the vulnerable Migrate Tools endpoint. No authentication is needed by the attacker, making it feasible for remote actors targeting users of affected sites. Successful exploitation allows the attacker to execute unauthorized actions with the victim's privileges, potentially leading to high-impact outcomes like data modification, deletion, or exposure.
The official Drupal security advisory SA-CONTRIB-2024-008 details the issue and recommends upgrading to Migrate Tools version 6.0.3 or later, where the vulnerability has been patched. Site administrators should review installed modules, apply the update promptly, and consider enabling Drupal's built-in CSRF protections as a general best practice. Additional details are available at https://www.drupal.org/sa-contrib-2024-008.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51458
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Migrate Tools allows Cross Site Request Forgery.This issue affects Migrate Tools: from 0.0.0 before 6.0.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing Drupal module enables remote exploitation via malicious link tricking authenticated users into unauthorized privileged actions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly addressing CVE-2024-13244 by patching Drupal Migrate Tools to version 6.0.3 or later where the CSRF vulnerability is fixed.
SC-23 enforces session authenticity mechanisms like CSRF tokens, preventing forged requests from exploiting the Drupal Migrate Tools CSRF vulnerability on behalf of authenticated users.
SI-10 mandates information input validation, rejecting malformed or forged CSRF requests to the vulnerable Migrate Tools endpoints.