CVE-2024-13252 – This Cross-Site Scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2024-13252?

CVE-2024-13252 has a CVSS score of 5.4 (MEDIUM). This Cross-Site Scripting (XSS) vulnerability in Drupal TacJS allows attackers to inject malicious scripts into web pages viewed by other users. It affects all Drupal sites using TacJS module versions before 6.5.0. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in Drupal TacJS allows attackers to inject malicious scripts into web pages viewed by other users. It affects all Drupal sites using TacJS module versions before 6.5.0. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

Drupal TacJS module

Versions: 0.0.0 through 6.4.x

Operating Systems: All operating systems running Drupal

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal sites with TacJS module enabled. The vulnerability exists in how TacJS handles user input during web page generation.

📦 What is this software?

Tacjs by Tacjs Project

View all CVEs affecting Tacjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of Drupal site, install backdoors, or deface website.

🟠

Likely Case

Attackers steal user session cookies to hijack accounts, redirect users to malicious sites, or perform limited actions on behalf of users.

🟢

If Mitigated

With proper input validation and output encoding, impact is limited to minor UI disruption or blocked script execution.

🌐 Internet-Facing: HIGH - Web applications are directly accessible to attackers who can craft malicious payloads.

🏢 Internal Only: MEDIUM - Internal users could still exploit if they have access to input fields, but attack surface is smaller.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities are commonly exploited and require minimal technical skill. Attackers need to find input fields that TacJS processes without proper sanitization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.0

Vendor Advisory: https://www.drupal.org/sa-contrib-2024-016

Restart Required: No

Instructions:

1. Update TacJS module to version 6.5.0 or later via Drupal's update manager. 2. Clear Drupal caches. 3. Verify the update was successful by checking module version.

🔧 Temporary Workarounds

Disable TacJS module

linux

Temporarily disable the vulnerable module until patching is possible

drush pm-disable tacjs

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or configure in Drupal's settings.php

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads
Enable Drupal's built-in XSS protection modules and configure input validation

🔍 How to Verify

Check if Vulnerable:

Check TacJS module version in Drupal admin at /admin/modules or run: drush pm-list | grep tacjs

Check Version:

drush pmi tacjs | grep Version

Verify Fix Applied:

Confirm TacJS version is 6.5.0 or higher: drush pmi tacjs | grep Version

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests with script tags or JavaScript in parameters
Multiple failed XSS attempts in web server logs
Unexpected iframe or script injections in page content

Network Indicators:

HTTP requests containing <script>, javascript:, or eval() in parameters
Outbound connections to suspicious domains following page loads

SIEM Query:

source="web_logs" AND ("<script" OR "javascript:" OR "onload=" OR "onerror=") AND uri="*tacjs*"

📊 Metadata

CVE ID: CVE-2024-13252

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.14% exploit probability (33.4th percentile)

Published: January 9, 2025

Last Updated: June 4, 2025

🔗 References

https://www.drupal.org/sa-contrib-2024-016 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13252, you might also want to check these: