CVE-2024-13259

High

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0039 59.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13259 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Image Sizes Project Image Sizes. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 40.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely patching of the Drupal Image Sizes module to version 3.0.2 or later directly remediates the specific flaw causing sensitive information disclosure via forceful browsing.

SI-15 Information Output Filtering good match

prevent

Filtering information in application outputs prevents the insertion of sensitive data into responses, directly addressing CWE-201 in this vulnerability.

AU-13 Monitoring for Information Disclosure partial match

detect

Monitoring systems for indicators of unauthorized information disclosure detects exploitation of the forceful browsing vulnerability exposing sensitive data.

NVD Description

Insertion of Sensitive Information Into Sent Data vulnerability in Drupal Image Sizes allows Forceful Browsing.This issue affects Image Sizes: from 0.0.0 before 3.0.2.

Deeper analysisAI

CVE-2024-13259 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the Drupal Image Sizes module. This issue affects all versions of the module from 0.0.0 before 3.0.2 and enables forceful browsing, where sensitive data is exposed in responses due to improper handling.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required. Attackers can achieve high-impact confidentiality violations by forcefully browsing to certain endpoints, resulting in the disclosure of sensitive information sent by the application.

The Drupal security advisory SA-CONTRIB-2024-023 at https://www.drupal.org/sa-contrib-2024-023 provides details on the vulnerability and recommends updating the Image Sizes module to version 3.0.2 or later as the primary mitigation.