CVE-2024-13260
Published: 09 January 2025
Summary
CVE-2024-13260 is a high-severity CSRF (CWE-352) vulnerability in Migrate Queue Importer Project Migrate Queue Importer. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13260 is a Cross-Site Request Forgery (CSRF) vulnerability in the Drupal Migrate queue importer module. This issue affects all versions of the module from 0.0.0 up to but not including 2.1.1. The vulnerability, mapped to CWE-352, enables attackers to perform unauthorized actions by forging requests on behalf of authenticated users.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no required privileges, and the need for user interaction with no change in scope. An attacker can exploit it by enticing a logged-in Drupal user to visit a malicious webpage, which submits forged requests to the vulnerable importer endpoint. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, such as unauthorized data import, modification, or deletion.
The official Drupal Security Advisory SA-CONTRIB-2024-024, available at https://www.drupal.org/sa-contrib-2024-024, details the vulnerability and mitigation steps. Administrators should upgrade the Migrate queue importer module to version 2.1.1 or later to address the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51474
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Migrate queue importer allows Cross Site Request Forgery.This issue affects Migrate queue importer: from 0.0.0 before 2.1.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing Drupal web module directly enables exploitation of the application via forged authenticated requests, matching T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediates the specific CSRF vulnerability in the Drupal Migrate queue importer by requiring timely installation of the vendor patch (upgrade to version 2.1.1 or later).
Enforces session authenticity mechanisms, such as anti-CSRF tokens, to prevent attackers from forging requests on behalf of authenticated Drupal users.
Validates inputs to the vulnerable importer endpoint, including CSRF tokens or origin checks, to block unauthorized forged requests.