CVE-2024-13255

High

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0018 39.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13255 is a high-severity Exposure of Sensitive Information Through Data Queries (CWE-202) vulnerability in Restful Web Services Project Restful Web Services. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring identification, reporting, and correction of the specific flaw in the Drupal RESTful Web Services module via patching to version 7.X-2.10 or later.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations on RESTful endpoints to prevent unauthorized forceful browsing and exposure of sensitive information without privileges.

SI-10 Information Input Validation good match

prevent

Validates crafted data queries to RESTful Web Services, blocking malicious inputs that could disclose sensitive information.

NVD Description

Exposure of Sensitive Information Through Data Queries vulnerability in Drupal RESTful Web Services allows Forceful Browsing.This issue affects RESTful Web Services: from 7.X-2.0 before 7.X-2.10.

Deeper analysisAI

CVE-2024-13255 is an Exposure of Sensitive Information Through Data Queries vulnerability in the Drupal RESTful Web Services module, enabling forceful browsing. This issue affects RESTful Web Services versions from 7.X-2.0 before 7.X-2.10. The vulnerability is classified under CWE-202 and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no effect on integrity or availability.

Remote attackers require only network access and can exploit the vulnerability without privileges or user interaction due to its low attack complexity. Successful exploitation allows disclosure of sensitive information through crafted data queries targeting the RESTful endpoints.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2024-019 details mitigation steps, with the issue resolved in RESTful Web Services version 7.X-2.10. Site administrators should update to this or later versions to address the vulnerability.