CVE-2024-13254
Published: 09 January 2025
Summary
CVE-2024-13254 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Rest Views Project Rest Views. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13254 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the Drupal REST Views module, which allows forceful browsing. This issue affects REST Views versions from 0.0.0 before 3.0.1. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high severity primarily due to its potential for high confidentiality impact over the network.
An unauthenticated remote attacker can exploit this vulnerability with low attack complexity and no user interaction. By performing forceful browsing on REST Views endpoints, the attacker can access sensitive information that is improperly included in sent data.
The Drupal security advisory SA-CONTRIB-2024-018 addresses this issue and recommends updating to REST Views version 3.0.1 or later for mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51468
Vulnerability details
Insertion of Sensitive Information Into Sent Data vulnerability in Drupal REST Views allows Forceful Browsing.This issue affects REST Views: from 0.0.0 before 3.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exploitation of a public-facing Drupal REST API endpoint via forceful browsing to disclose sensitive data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific flaw in Drupal REST Views by updating to version 3.0.1, preventing insertion of sensitive information into sent data.
Filters information output from REST Views endpoints to prevent disclosure of sensitive data via forceful browsing.
Monitors for information disclosure events, enabling detection of sensitive data leaks through unauthorized access to REST endpoints.