Cyber Posture

CVE-2024-13276

High

Published: 09 January 2025

Published
09 January 2025
Modified
02 September 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0019 41.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13276 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in File Entity Project File Entity. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Wordlist Scanning (T1595.003); ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Wordlist Scanning (T1595.003). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2024-13276 by requiring timely remediation of known flaws through patching or upgrading the vulnerable Drupal File Entity module to version 7.x-2.39 or later.

SI-15 Information Output Filtering good match
prevent

Prevents insertion of sensitive information into sent data by filtering outputs prior to transmission, directly addressing the CWE-201 vulnerability exploited via forceful browsing.

AC-22 Publicly Accessible Content good match
prevent

Restricts publication of sensitive information on publicly accessible Drupal systems, mitigating unauthorized disclosure through forceful browsing of file entity data.

MITRE ATT&CK Enterprise TechniquesAI

T1595.003 Wordlist Scanning Reconnaissance
Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques.
attack.mitre.org →
Why these techniques?

The vulnerability misplaces private files into publicly accessible directories, enabling forceful browsing via wordlist scanning to discover and access sensitive information without authentication.

NVD Description

Insertion of Sensitive Information Into Sent Data vulnerability in Drupal File Entity (fieldable files) allows Forceful Browsing.This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.39.

Deeper analysisAI

CVE-2024-13276 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the Drupal File Entity (fieldable files) module, enabling forceful browsing. It affects File Entity versions 7.x before 7.x-2.39. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from remote exploitation.

Remote unauthenticated attackers can exploit this issue over the network with low attack complexity and no user interaction. Exploitation allows attackers to conduct forceful browsing, resulting in the disclosure of sensitive information included in sent data.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2024-040 details the vulnerability. Mitigation involves upgrading to File Entity version 7.x-2.39 or later.

Details

CWE(s)
CWE-201

Affected Products

file entity project
file entity
≤ 7.x-2.39

CVEs Like This One

CVE-2026-24430Shared CWE-201
CVE-2024-13254Shared CWE-201
CVE-2026-20151Shared CWE-201
CVE-2026-27934Shared CWE-201
CVE-2025-23774Shared CWE-201
CVE-2025-68033Shared CWE-201
CVE-2026-32538Shared CWE-201
CVE-2025-68035Shared CWE-201
CVE-2026-27406Shared CWE-201
CVE-2025-23781Shared CWE-201

References