Cyber Resilience

CVE-2024-13255

High

Published: 09 January 2025

Published
09 January 2025
Modified
04 June 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0025 48.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13255 is a high-severity Exposure of Sensitive Information Through Data Queries (CWE-202) vulnerability in Restful Web Services Project Restful Web Services. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13255 is an Exposure of Sensitive Information Through Data Queries vulnerability in the Drupal RESTful Web Services module, enabling forceful browsing. This issue affects RESTful Web Services versions from 7.X-2.0 before 7.X-2.10. The vulnerability is classified under CWE-202 and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no effect on integrity or availability.

Remote attackers require only network access and can exploit the vulnerability without privileges or user interaction due to its low attack complexity. Successful exploitation allows disclosure of sensitive information through crafted data queries targeting the RESTful endpoints.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2024-019 details mitigation steps, with the issue resolved in RESTful Web Services version 7.X-2.10. Site administrators should update to this or later versions to address the vulnerability.

EU & UK References

Vulnerability details

Exposure of Sensitive Information Through Data Queries vulnerability in Drupal RESTful Web Services allows Forceful Browsing.This issue affects RESTful Web Services: from 7.X-2.0 before 7.X-2.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated exploitation of public REST endpoints for sensitive data disclosure via crafted queries/forceful browsing.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30778Shared CWE-202
CVE-2026-33530Shared CWE-202
CVE-2025-68456Shared CWE-202
CVE-2025-25205Shared CWE-202
CVE-2025-59352Shared CWE-202
CVE-2026-40245Shared CWE-202

Affected Assets

restful web services project
restful web services
7.x-2.0 — 7.x-2.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring identification, reporting, and correction of the specific flaw in the Drupal RESTful Web Services module via patching to version 7.X-2.10 or later.

prevent

Enforces approved authorizations on RESTful endpoints to prevent unauthorized forceful browsing and exposure of sensitive information without privileges.

prevent

Validates crafted data queries to RESTful Web Services, blocking malicious inputs that could disclose sensitive information.

References