CVE-2024-13256

High

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0030 53.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13256 is a high-severity Insufficient Granularity of Access Control (CWE-1220) vulnerability in Email Contact Project Email Contact. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 46.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-22 (Publicly Accessible Content).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations with sufficient granularity to block forceful browsing and unauthorized modifications in the Drupal Email Contact module.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits permitted actions without identification or authentication, directly countering the insufficient granularity allowing unauthenticated forceful browsing.

AC-22 Publicly Accessible Content good match

prevent

Controls access to publicly accessible content, mitigating forceful browsing exploits on Drupal module endpoints accessible over the network without privileges.

NVD Description

Insufficient Granularity of Access Control vulnerability in Drupal Email Contact allows Forceful Browsing.This issue affects Email Contact: from 0.0.0 before 2.0.4.

Deeper analysisAI

CVE-2024-13256 is an Insufficient Granularity of Access Control vulnerability in the Drupal Email Contact module that allows Forceful Browsing. This issue affects Email Contact versions from 0.0.0 before 2.0.4.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating it is exploitable over the network with low complexity, no privileges, and no user interaction required. Unauthenticated remote attackers can perform forceful browsing to bypass access controls, resulting in high integrity impact such as unauthorized modifications.

The Drupal security advisory SA-CONTRIB-2024-020 at https://www.drupal.org/sa-contrib-2024-020 provides details on mitigation, with the issue resolved in Email Contact version 2.0.4.

Details

CWE(s): CWE-1220 NVD-CWE-Other

Affected Products

email contact project

email contact

≤ 2.0.4

CVEs Like This One

CVE-2026-6356Shared CWE-1220

CVE-2026-33825Shared CWE-1220

CVE-2025-20111Shared CWE-1220

CVE-2025-7493Shared CWE-1220

CVE-2026-6388Shared CWE-1220

CVE-2024-53295Shared CWE-1220

CVE-2023-31342Shared CWE-1220

CVE-2023-31343Shared CWE-1220

References

https://www.drupal.org/sa-contrib-2024-020
Vendor Advisory · mlhess@drupal.org