Cyber Resilience

CVE-2024-13260

High

Published: 09 January 2025

Published
09 January 2025
Modified
04 June 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0042 62.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13260 is a high-severity CSRF (CWE-352) vulnerability in Migrate Queue Importer Project Migrate Queue Importer. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13260 is a Cross-Site Request Forgery (CSRF) vulnerability in the Drupal Migrate queue importer module. This issue affects all versions of the module from 0.0.0 up to but not including 2.1.1. The vulnerability, mapped to CWE-352, enables attackers to perform unauthorized actions by forging requests on behalf of authenticated users.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no required privileges, and the need for user interaction with no change in scope. An attacker can exploit it by enticing a logged-in Drupal user to visit a malicious webpage, which submits forged requests to the vulnerable importer endpoint. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, such as unauthorized data import, modification, or deletion.

The official Drupal Security Advisory SA-CONTRIB-2024-024, available at https://www.drupal.org/sa-contrib-2024-024, details the vulnerability and mitigation steps. Administrators should upgrade the Migrate queue importer module to version 2.1.1 or later to address the issue.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Migrate queue importer allows Cross Site Request Forgery.This issue affects Migrate queue importer: from 0.0.0 before 2.1.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF vulnerability in public-facing Drupal web module directly enables exploitation of the application via forged authenticated requests, matching T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352
CVE-2025-23848Shared CWE-352
CVE-2025-22571Shared CWE-352
CVE-2024-53684Shared CWE-352
CVE-2025-23455Shared CWE-352
CVE-2025-22582Shared CWE-352

Affected Assets

migrate queue importer project
migrate queue importer
≤ 2.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediates the specific CSRF vulnerability in the Drupal Migrate queue importer by requiring timely installation of the vendor patch (upgrade to version 2.1.1 or later).

prevent

Enforces session authenticity mechanisms, such as anti-CSRF tokens, to prevent attackers from forging requests on behalf of authenticated Drupal users.

prevent

Validates inputs to the vulnerable importer endpoint, including CSRF tokens or origin checks, to block unauthorized forged requests.

References