Cyber Resilience

CVE-2024-13256

High

Published: 09 January 2025

Published
09 January 2025
Modified
04 June 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0030 54.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13256 is a high-severity Insufficient Granularity of Access Control (CWE-1220) vulnerability in Email Contact Project Email Contact. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-22 (Publicly Accessible Content).

Deeper analysis

CVE-2024-13256 is an Insufficient Granularity of Access Control vulnerability in the Drupal Email Contact module that allows Forceful Browsing. This issue affects Email Contact versions from 0.0.0 before 2.0.4.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating it is exploitable over the network with low complexity, no privileges, and no user interaction required. Unauthenticated remote attackers can perform forceful browsing to bypass access controls, resulting in high integrity impact such as unauthorized modifications.

The Drupal security advisory SA-CONTRIB-2024-020 at https://www.drupal.org/sa-contrib-2024-020 provides details on mitigation, with the issue resolved in Email Contact version 2.0.4.

EU & UK References

Vulnerability details

Insufficient Granularity of Access Control vulnerability in Drupal Email Contact allows Forceful Browsing.This issue affects Email Contact: from 0.0.0 before 2.0.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated access control bypass in a public-facing Drupal web module enables exploitation of the application itself.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40365Shared CWE-1220
CVE-2026-33825Shared CWE-1220
CVE-2024-53295Shared CWE-1220
CVE-2025-20111Shared CWE-1220
CVE-2026-6356Shared CWE-1220
CVE-2026-35436Shared CWE-1220
CVE-2026-6388Shared CWE-1220
CVE-2025-7493Shared CWE-1220
CVE-2023-31343Shared CWE-1220
CVE-2023-31342Shared CWE-1220

Affected Assets

email contact project
email contact
≤ 2.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations with sufficient granularity to block forceful browsing and unauthorized modifications in the Drupal Email Contact module.

prevent

Limits permitted actions without identification or authentication, directly countering the insufficient granularity allowing unauthenticated forceful browsing.

prevent

Controls access to publicly accessible content, mitigating forceful browsing exploits on Drupal module endpoints accessible over the network without privileges.

References