CVE-2024-13311
Published: 09 January 2025
Summary
CVE-2024-13311 is a high-severity an unspecified weakness vulnerability in Allow All File Extensions For File Fields Project Allow All File Extensions For File Fields. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13311 is a vulnerability in the Drupal module "Allow All File Extensions for file fields." This issue affects Allow All File Extensions for file fields: *.*.
The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N). An attacker with low privileges can exploit it over the network with low attack complexity, but it requires user interaction. Successful exploitation enables high impacts on confidentiality and integrity, with no availability impact.
Mitigation details are provided in the Drupal security advisory SA-CONTRIB-2024-075 at https://www.drupal.org/sa-contrib-2024-075.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51523
Vulnerability details
Vulnerability in Drupal Allow All File Extensions for file fields.This issue affects Allow All File Extensions for file fields: *.*.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The Drupal module vulnerability allows arbitrary file extensions in uploads, enabling exploitation of public-facing web applications (T1190) and facilitating web shell deployment (T1100).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation directly addresses CVE-2024-13311 by patching the vulnerable Drupal 'Allow All File Extensions' module as specified in SA-CONTRIB-2024-075.
Validates file uploads for proper extensions, MIME types, and content to block malicious files enabled by the unrestricted file extension allowance.
Restricts file types accepted by Drupal file fields, countering the module's allowance of all extensions (*.*) that enables attacker uploads.