CVE-2024-13256 – This vulnerability in Drupal's Email Contact mo... (How to Fix)

Q: What is the severity of CVE-2024-13256?

CVE-2024-13256 has a CVSS score of 7.5 (HIGH). This vulnerability in Drupal's Email Contact module allows attackers to bypass access controls through forceful browsing, potentially accessing restricted email contact forms. It affects Drupal sites using the Email Contact module from versions before 2.0.4. Site administrators who haven't updated to the patched version are vulnerable.

📋 TL;DR

This vulnerability in Drupal's Email Contact module allows attackers to bypass access controls through forceful browsing, potentially accessing restricted email contact forms. It affects Drupal sites using the Email Contact module from versions before 2.0.4. Site administrators who haven't updated to the patched version are vulnerable.

💻 Affected Systems

Products:

Drupal Email Contact module

Versions: 0.0.0 through 2.0.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal sites with the Email Contact module installed and enabled.

📦 What is this software?

Email Contact by Email Contact Project

View all CVEs affecting Email Contact →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive email contact forms intended for specific user roles, potentially exposing confidential communication channels or harvesting sensitive information submitted through these forms.

🟠

Likely Case

Unauthorized users gain access to email contact forms they shouldn't see, potentially leading to information disclosure or misuse of contact functionality.

🟢

If Mitigated

With proper access controls and patching, only authorized users can access appropriate email contact forms as intended.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of Drupal's URL structure and access control mechanisms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.4

Vendor Advisory: https://www.drupal.org/sa-contrib-2024-020

Restart Required: No

Instructions:

1. Update the Email Contact module to version 2.0.4 via Drupal's update manager or Composer. 2. Clear Drupal caches. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable Email Contact module

all

Temporarily disable the vulnerable module until patching is possible

drush pm:disable email_contact

🧯 If You Can't Patch

Implement additional access control checks at the web server level (e.g., .htaccess rules)
Monitor access logs for unauthorized attempts to access email contact endpoints

🔍 How to Verify

Check if Vulnerable:

Check the installed version of the Email Contact module in Drupal's Extend page or via 'drush pm:list | grep email_contact'

Check Version:

drush pm:list --fields=name,version | grep email_contact

Verify Fix Applied:

Confirm Email Contact module version is 2.0.4 or higher and test access controls for email contact forms

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /email_contact/* paths in web server logs
403 Forbidden errors followed by successful 200 responses to email contact endpoints

Network Indicators:

HTTP requests to email contact endpoints from unauthorized IPs or user agents

SIEM Query:

web_access_logs WHERE (url_path LIKE '%/email_contact/%' AND response_code = 200) AND user_role NOT IN ('authorized_roles')

📊 Metadata

CVE ID: CVE-2024-13256

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-1220

EPSS Score: 0.12% exploit probability (31.1th percentile)

Published: January 9, 2025

Last Updated: June 4, 2025

🔗 References

https://www.drupal.org/sa-contrib-2024-020 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13256, you might also want to check these: