Cyber Resilience

CVE-2024-13244

High

Published: 09 January 2025

Published
09 January 2025
Modified
04 June 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0042 62.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13244 is a high-severity CSRF (CWE-352) vulnerability in Migrate Tools Project Migrate Tools. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13244 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the Drupal Migrate Tools module. This flaw impacts all versions from 0.0.0 up to but not including 6.0.3. The vulnerability enables attackers to forge requests on behalf of authenticated users interacting with Drupal sites using the affected module, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, no privileges required, and high impacts across confidentiality, integrity, and availability.

Exploitation requires an attacker to trick an authenticated Drupal user into performing a specific action, such as visiting a malicious webpage or clicking a crafted link, which submits a forged request to the vulnerable Migrate Tools endpoint. No authentication is needed by the attacker, making it feasible for remote actors targeting users of affected sites. Successful exploitation allows the attacker to execute unauthorized actions with the victim's privileges, potentially leading to high-impact outcomes like data modification, deletion, or exposure.

The official Drupal security advisory SA-CONTRIB-2024-008 details the issue and recommends upgrading to Migrate Tools version 6.0.3 or later, where the vulnerability has been patched. Site administrators should review installed modules, apply the update promptly, and consider enabling Drupal's built-in CSRF protections as a general best practice. Additional details are available at https://www.drupal.org/sa-contrib-2024-008.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Migrate Tools allows Cross Site Request Forgery.This issue affects Migrate Tools: from 0.0.0 before 6.0.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF in public-facing Drupal module enables remote exploitation via malicious link tricking authenticated users into unauthorized privileged actions.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-25121Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2026-34904Shared CWE-352
CVE-2024-26153Shared CWE-352
CVE-2025-28860Shared CWE-352
CVE-2026-45430Shared CWE-352
CVE-2025-23880Shared CWE-352
CVE-2025-59541Shared CWE-352
CVE-2026-23622Shared CWE-352

Affected Assets

migrate tools project
migrate tools
6.0.0 — 6.0.3 · 8.x-1.0 — 8.x-5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing CVE-2024-13244 by patching Drupal Migrate Tools to version 6.0.3 or later where the CSRF vulnerability is fixed.

prevent

SC-23 enforces session authenticity mechanisms like CSRF tokens, preventing forged requests from exploiting the Drupal Migrate Tools CSRF vulnerability on behalf of authenticated users.

prevent

SI-10 mandates information input validation, rejecting malformed or forged CSRF requests to the vulnerable Migrate Tools endpoints.

References