Cyber Resilience

CVE-2024-13278

Critical

Published: 09 January 2025

Published
09 January 2025
Modified
02 September 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0022 45.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13278 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Diff Project Diff. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13278 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Diff module that allows Functionality Misuse. It affects all versions of the Diff module from 0.0.0 before 1.8.0. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its potential for high confidentiality and integrity impacts.

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables functionality misuse, potentially allowing unauthorized access to sensitive data or modifications that compromise the integrity of Drupal sites using the affected Diff module.

The Drupal security advisory SA-CONTRIB-2024-042 at https://www.drupal.org/sa-contrib-2024-042 recommends upgrading to Diff module version 1.8.0 as the primary mitigation. No additional workarounds are specified in available details.

EU & UK References

Vulnerability details

Incorrect Authorization vulnerability in Drupal Diff allows Functionality Misuse.This issue affects Diff: from 0.0.0 before 1.8.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

Incorrect authorization in Drupal Diff module enables access bypass for rendering diff reports on restricted revisions of nodes/entities, facilitating unauthorized collection of data from Drupal content repositories.

CVEs Like This One

CVE-2026-25811Shared CWE-863
CVE-2025-21506Shared CWE-863
CVE-2025-21516Shared CWE-863
CVE-2026-42843Shared CWE-863
CVE-2025-21565Shared CWE-863
CVE-2026-28951Shared CWE-863
CVE-2026-44110Shared CWE-863
CVE-2025-55177Shared CWE-863
CVE-2026-46823Shared CWE-863
CVE-2026-42432Shared CWE-863

Affected Assets

diff project
diff
2.0.0 · ≤ 1.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation by upgrading the Drupal Diff module to version 1.8.0, directly eliminating the incorrect authorization vulnerability.

prevent

Mandates enforcement mechanisms for approved access authorizations, preventing unauthenticated functionality misuse due to authorization flaws in the Diff module.

prevent

Explicitly authorizes specific actions performable without authentication, mitigating risks of unauthorized access and misuse in unauthenticated contexts exploited by this CVE.

References