CVE-2024-13282

High

Published: 09 January 2025

Published

09 January 2025

Modified

02 September 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0013 32.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13282 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Block Permissions Project Block Permissions. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly preventing the incorrect authorization bypass via forceful browsing in the Drupal module.

SI-2 Flaw Remediation good match

prevent

Remediates known flaws like this authorization vulnerability by identifying, reporting, and correcting through module upgrade to version 1.2.0.

SI-10 Information Input Validation partial match

prevent

Validates information inputs such as URLs and paths to mitigate forceful browsing attempts that bypass authorization checks.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The incorrect authorization vulnerability enables users with 'administer blocks provided by [provider]' permission to bypass theme-specific block management restrictions via forceful browsing to the add block route, facilitating privilege escalation by allowing unauthorized block placement.

NVD Description

Incorrect Authorization vulnerability in Drupal Block permissions allows Forceful Browsing.This issue affects Block permissions: from 1.0.0 before 1.2.0.

Deeper analysisAI

CVE-2024-13282 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Block permissions module that allows forceful browsing. The issue affects Block permissions versions from 1.0.0 up to but not including 1.2.0.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with unchanged scope and high impacts on confidentiality, integrity, and availability. Unauthenticated attackers can exploit it remotely by bypassing authorization checks through direct URL access, potentially leading to unauthorized data access, modification, or disruption.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2024-046 details the vulnerability. Mitigation requires upgrading the Block permissions module to version 1.2.0 or later.