CVE-2024-13267

High

Published: 09 January 2025

Published

09 January 2025

Modified

27 August 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13267 is a high-severity Static Code Injection (CWE-96) vulnerability in Opigno Tincan Question Type. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Web Shell (T1505.003) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, testing, and correction of flaws like this static code injection vulnerability via patching the Opigno TinCan Question Type module to 7.X-1.3 or later.

SI-10 Information Input Validation good match

prevent

Enforces validation of user inputs to the Drupal module prior to statically saving code, directly preventing improper neutralization of PHP directives that enable local file inclusion.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

Requires vulnerability scanning to identify exposures like CVE-2024-13267 in Drupal modules and subsequent risk-based remediation to prevent exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Vulnerability enables arbitrary PHP code execution via file upload in Drupal web application, facilitating web shell deployment (T1100) and exploitation of public-facing applications (T1190).

NVD Description

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno TinCan Question Type allows PHP Local File Inclusion.This issue affects Opigno TinCan Question Type: from 7.X-1.0 before 7.X-1.3.

Deeper analysisAI

CVE-2024-13267 is an Improper Neutralization of Directives in Statically Saved Code vulnerability, classified as Static Code Injection (CWE-96), in the Drupal Opigno TinCan Question Type module. This flaw allows PHP Local File Inclusion and affects versions from 7.X-1.0 up to but not including 7.X-1.3.

With a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited by an attacker possessing low privileges over the network. Exploitation requires high attack complexity but no user interaction, enabling high-impact compromise of confidentiality, integrity, and availability via PHP Local File Inclusion.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2024-031 details the issue. Mitigation requires updating the Opigno TinCan Question Type module to version 7.X-1.3 or later.

Details

CWE(s): CWE-96

Affected Products

opigno

tincan question type

7.x-1.0 — 7.x-1.3

CVEs Like This One

CVE-2024-13265Same vendor: Opigno

CVE-2024-13264Same vendor: Opigno

CVE-2025-57707Shared CWE-96

References

https://www.drupal.org/sa-contrib-2024-031
Third Party Advisory · mlhess@drupal.org