Cyber Resilience

CVE-2024-13282

High

Published: 09 January 2025

Published
09 January 2025
Modified
02 September 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0018 39.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13282 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Block Permissions Project Block Permissions. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13282 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Block permissions module that allows forceful browsing. The issue affects Block permissions versions from 1.0.0 up to but not including 1.2.0.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with unchanged scope and high impacts on confidentiality, integrity, and availability. Unauthenticated attackers can exploit it remotely by bypassing authorization checks through direct URL access, potentially leading to unauthorized data access, modification, or disruption.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2024-046 details the vulnerability. Mitigation requires upgrading the Block permissions module to version 1.2.0 or later.

EU & UK References

Vulnerability details

Incorrect Authorization vulnerability in Drupal Block permissions allows Forceful Browsing.This issue affects Block permissions: from 1.0.0 before 1.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The incorrect authorization vulnerability enables users with 'administer blocks provided by [provider]' permission to bypass theme-specific block management restrictions via forceful browsing to the add block route, facilitating privilege escalation by allowing unauthorized block placement.

CVEs Like This One

CVE-2026-28951Shared CWE-863
CVE-2026-42432Shared CWE-863
CVE-2024-40771Shared CWE-863
CVE-2026-34972Shared CWE-863
CVE-2025-0360Shared CWE-863
CVE-2026-4639Shared CWE-863
CVE-2026-42429Shared CWE-863
CVE-2026-41404Shared CWE-863
CVE-2020-36969Shared CWE-863
CVE-2026-24428Shared CWE-863

Affected Assets

block permissions project
block permissions
1.0.0 — 1.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly preventing the incorrect authorization bypass via forceful browsing in the Drupal module.

prevent

Remediates known flaws like this authorization vulnerability by identifying, reporting, and correcting through module upgrade to version 1.2.0.

prevent

Validates information inputs such as URLs and paths to mitigate forceful browsing attempts that bypass authorization checks.

References