CVE-2024-13251

High

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0034 57.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13251 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Registration Role Project Registration Role. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 42.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of flaws, directly mitigating CVE-2024-13251 by patching the vulnerable Drupal Registration role module.

AC-6 Least Privilege good match

prevent

AC-6 enforces least privilege, preventing privilege escalation from incorrect privilege assignments in the Drupal Registration role module.

AC-2 Account Management good match

prevent

AC-2 establishes processes for managing accounts and privileges, countering incorrect privilege assignments that enable escalation in this CVE.

NVD Description

Incorrect Privilege Assignment vulnerability in Drupal Registration role allows Privilege Escalation.This issue affects Registration role: from 0.0.0 before 2.0.1.

Deeper analysisAI

CVE-2024-13251 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Drupal Registration role module that allows privilege escalation. The issue affects the Registration role module from version 0.0.0 before 2.0.1. Published on January 9, 2025, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables privilege escalation, granting high-level access that compromises confidentiality, integrity, and availability of the affected Drupal instance.

The Drupal security advisory SA-CONTRIB-2024-015 details the vulnerability and mitigation steps, available at https://www.drupal.org/sa-contrib-2024-015. Administrators should upgrade the Registration role module to version 2.0.1 or later to remediate the issue.