Cyber Resilience

CVE-2024-13276

High

Published: 09 January 2025

Published
09 January 2025
Modified
02 September 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0026 50.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13276 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in File Entity Project File Entity. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Wordlist Scanning (T1595.003); ranked in the top 50.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-13276 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the Drupal File Entity (fieldable files) module, enabling forceful browsing. It affects File Entity versions 7.x before 7.x-2.39. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from remote exploitation.

Remote unauthenticated attackers can exploit this issue over the network with low attack complexity and no user interaction. Exploitation allows attackers to conduct forceful browsing, resulting in the disclosure of sensitive information included in sent data.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2024-040 details the vulnerability. Mitigation involves upgrading to File Entity version 7.x-2.39 or later.

EU & UK References

Vulnerability details

Insertion of Sensitive Information Into Sent Data vulnerability in Drupal File Entity (fieldable files) allows Forceful Browsing.This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.39.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1595.003 Wordlist Scanning Reconnaissance
Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques.
Why these techniques?

The vulnerability misplaces private files into publicly accessible directories, enabling forceful browsing via wordlist scanning to discover and access sensitive information without authentication.

CVEs Like This One

CVE-2025-68033Shared CWE-201
CVE-2026-32538Shared CWE-201
CVE-2025-68035Shared CWE-201
CVE-2026-20151Shared CWE-201
CVE-2026-27370Shared CWE-201
CVE-2026-39912Shared CWE-201
CVE-2026-42673Shared CWE-201
CVE-2026-4525Shared CWE-201
CVE-2026-28481Shared CWE-201
CVE-2020-37150Shared CWE-201

Affected Assets

file entity project
file entity
≤ 7.x-2.39

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2024-13276 by requiring timely remediation of known flaws through patching or upgrading the vulnerable Drupal File Entity module to version 7.x-2.39 or later.

prevent

Prevents insertion of sensitive information into sent data by filtering outputs prior to transmission, directly addressing the CWE-201 vulnerability exploited via forceful browsing.

prevent

Restricts publication of sensitive information on publicly accessible Drupal systems, mitigating unauthorized disclosure through forceful browsing of file entity data.

References