CVE-2024-13250 – This Cross-Site Request Forgery (CSRF) vulnerab... (How to Fix)

Q: What is the severity of CVE-2024-13250?

CVE-2024-13250 has a CVSS score of 8.8 (HIGH). This Cross-Site Request Forgery (CSRF) vulnerability in Drupal Symfony Mailer Lite allows attackers to trick authenticated users into performing unintended actions on the Drupal site. It affects all Drupal installations using the Symfony Mailer Lite module from initial release through version 1.0.5.

📋 TL;DR

This Cross-Site Request Forgery (CSRF) vulnerability in Drupal Symfony Mailer Lite allows attackers to trick authenticated users into performing unintended actions on the Drupal site. It affects all Drupal installations using the Symfony Mailer Lite module from initial release through version 1.0.5.

💻 Affected Systems

Products:

Drupal Symfony Mailer Lite

Versions: 0.0.0 through 1.0.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal sites with the Symfony Mailer Lite module enabled. Requires an authenticated user session to exploit.

📦 What is this software?

Drupal Symfony Mailer Lite by Drupal Symfony Mailer Lite Project

View all CVEs affecting Drupal Symfony Mailer Lite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could trick an administrator into changing system configurations, creating new admin accounts, or modifying content permissions, potentially leading to complete site compromise.

🟠

Likely Case

Attackers could manipulate authenticated users to change their own settings, submit forms, or perform actions within their permission scope without their knowledge.

🟢

If Mitigated

With proper CSRF protections enabled, the vulnerability would be blocked, preventing unauthorized state-changing requests.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to trick authenticated users into visiting malicious pages while logged into the Drupal site.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.6

Vendor Advisory: https://www.drupal.org/sa-contrib-2024-014

Restart Required: No

Instructions:

1. Update the Symfony Mailer Lite module to version 1.0.6 or later via Drupal's update manager. 2. Clear Drupal caches after update. 3. Verify the update was successful by checking the module version.

🔧 Temporary Workarounds

Disable Symfony Mailer Lite Module

all

Temporarily disable the vulnerable module until patching is possible

drush pm:disable symfony_mailer_lite

🧯 If You Can't Patch

Implement additional CSRF protection at the web application firewall level
Disable the Symfony Mailer Lite module entirely

🔍 How to Verify

Check if Vulnerable:

Check if the Symfony Mailer Lite module is enabled and version is 1.0.5 or lower via Drupal admin interface or drush command: drush pm:list | grep symfony_mailer_lite

Check Version:

drush pm:list | grep symfony_mailer_lite

Verify Fix Applied:

Verify module version is 1.0.6 or higher: drush pm:list | grep symfony_mailer_lite

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to Symfony Mailer Lite endpoints without CSRF tokens
Multiple failed CSRF validation attempts

Network Indicators:

Requests to Drupal endpoints with missing or invalid CSRF tokens from unexpected referrers

SIEM Query:

web_requests WHERE (uri CONTAINS 'symfony_mailer_lite' OR uri CONTAINS 'mailer') AND (csrf_token IS NULL OR csrf_token INVALID) AND method='POST'

📊 Metadata

CVE ID: CVE-2024-13250

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 0.06% exploit probability (18.9th percentile)

Published: January 9, 2025

Last Updated: June 4, 2025

🔗 References

https://www.drupal.org/sa-contrib-2024-014 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13250, you might also want to check these: