CVE-2024-13254
Published: 09 January 2025
Summary
CVE-2024-13254 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Rest Views Project Rest Views. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 40.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific flaw in Drupal REST Views by updating to version 3.0.1, preventing insertion of sensitive information into sent data.
Filters information output from REST Views endpoints to prevent disclosure of sensitive data via forceful browsing.
Monitors for information disclosure events, enabling detection of sensitive data leaks through unauthorized access to REST endpoints.
NVD Description
Insertion of Sensitive Information Into Sent Data vulnerability in Drupal REST Views allows Forceful Browsing.This issue affects REST Views: from 0.0.0 before 3.0.1.
Deeper analysisAI
CVE-2024-13254 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the Drupal REST Views module, which allows forceful browsing. This issue affects REST Views versions from 0.0.0 before 3.0.1. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high severity primarily due to its potential for high confidentiality impact over the network.
An unauthenticated remote attacker can exploit this vulnerability with low attack complexity and no user interaction. By performing forceful browsing on REST Views endpoints, the attacker can access sensitive information that is improperly included in sent data.
The Drupal security advisory SA-CONTRIB-2024-018 addresses this issue and recommends updating to REST Views version 3.0.1 or later for mitigation.
Details
- CWE(s)