CVE-2024-13250

High

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0031 54.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13250 is a high-severity CSRF (CWE-352) vulnerability in Drupal Symfony Mailer Lite Project Drupal Symfony Mailer Lite. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 45.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

Protects session authenticity to prevent CSRF attacks by validating that state-changing requests originate from legitimate user sessions, directly addressing the Drupal module's CSRF flaw.

SI-10 Information Input Validation good match

prevent

Requires validation of information inputs such as CSRF tokens, comprehensively mitigating forged requests that exploit the vulnerability in Symfony Mailer Lite.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of known flaws like CVE-2024-13250 by applying patches such as updating to Drupal Symfony Mailer Lite 1.0.6.

NVD Description

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Drupal Symfony Mailer Lite allows Cross Site Request Forgery.This issue affects Drupal Symfony Mailer Lite: from 0.0.0 before 1.0.6.

Deeper analysisAI

CVE-2024-13250 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Drupal Symfony Mailer Lite module. This issue affects all versions of the module from 0.0.0 up to but not including 1.0.6. The vulnerability enables CSRF attacks against Drupal sites using this contrib module for Symfony Mailer integration.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity. Attackers require no privileges and can exploit it over the network with low complexity, but it demands user interaction, such as a victim clicking a malicious link or loading a crafted page. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially enabling attackers to perform unauthorized actions on behalf of authenticated users.

The official Drupal security advisory SA-CONTRIB-2024-014, available at https://www.drupal.org/sa-contrib-2024-014, details the issue and recommends updating to Drupal Symfony Mailer Lite version 1.0.6 or later, which resolves the CSRF protection flaw. Site administrators should apply the patch promptly and review access to affected functionality.

Details

CWE(s): CWE-352

Affected Products

drupal symfony mailer lite project

drupal symfony mailer lite

≤ 1.0.6

CVEs Like This One

CVE-2024-55924Same product class: CMS core

CVE-2024-55921Same product class: CMS core

CVE-2024-40748Same product class: CMS core

CVE-2026-40488Same product class: CMS core

CVE-2025-24416Same product class: CMS core

CVE-2026-21289Same product class: CMS core

CVE-2025-24410Same product class: CMS core

CVE-2024-11816Same product class: CMS core

CVE-2025-1971Same product class: CMS core

CVE-2026-21309Same product class: CMS core

References

https://www.drupal.org/sa-contrib-2024-014
Vendor Advisory · mlhess@drupal.org