Cyber Posture

CVE-2024-13253

Critical

Published: 09 January 2025

Published
09 January 2025
Modified
04 June 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0039 59.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13253 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Advanced Pwa Inc Push Notifications Project Advanced Pwa Inc Push Notifications. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 40.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely remediation of the identified flaw in the Drupal Advanced PWA module by upgrading to version 1.5.0 or later, as recommended in the security advisory.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources, preventing forceful browsing exploits due to incorrect authorization checks.

SI-5 Security Alerts, Advisories, and Directives good match
prevent

Requires obtaining and implementing security advisories like SA-CONTRIB-2024-017 to address the vulnerability before exploitation.

NVD Description

Incorrect Authorization vulnerability in Drupal Advanced PWA inc Push Notifications allows Forceful Browsing.This issue affects Advanced PWA inc Push Notifications: from 0.0.0 before 1.5.0.

Deeper analysisAI

CVE-2024-13253 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Advanced PWA inc Push Notifications module that allows Forceful Browsing. This issue affects all versions of the module from 0.0.0 before 1.5.0. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites like privileges or user interaction.

Remote, unauthenticated attackers can exploit this vulnerability over the network by engaging in forceful browsing. Successful exploitation enables high-impact disruption to integrity and availability, such as unauthorized modifications or denial of service, while confidentiality remains unaffected.

The Drupal security advisory SA-CONTRIB-2024-017 details the vulnerability and recommends upgrading to version 1.5.0 or later of the Advanced PWA inc Push Notifications module as the primary mitigation.

Details

CWE(s)
CWE-863

Affected Products

advanced pwa inc push notifications project
advanced pwa inc push notifications
≤ 8.x-1.5

CVEs Like This One

CVE-2025-27645Shared CWE-863
CVE-2026-22806Shared CWE-863
CVE-2025-0359Shared CWE-863
CVE-2026-28473Shared CWE-863
CVE-2026-41344Shared CWE-863
CVE-2025-4960Shared CWE-863
CVE-2026-25040Shared CWE-863
CVE-2025-30093Shared CWE-863
CVE-2025-13928Shared CWE-863
CVE-2024-45328Shared CWE-863

References