CVE-2024-13266 – This CVE describes an incorrect authorization v... (How to Fix)

Q: What is the severity of CVE-2024-13266?

CVE-2024-13266 has a CVSS score of 5.3 (MEDIUM). This CVE describes an incorrect authorization vulnerability in Drupal's Responsive and off-canvas menu module that allows forceful browsing (accessing restricted content without proper permissions). It affects Drupal sites using this contributed module. Attackers can bypass intended access controls to view content they shouldn't have permission to access.

📋 TL;DR

This CVE describes an incorrect authorization vulnerability in Drupal's Responsive and off-canvas menu module that allows forceful browsing (accessing restricted content without proper permissions). It affects Drupal sites using this contributed module. Attackers can bypass intended access controls to view content they shouldn't have permission to access.

💻 Affected Systems

Products:

Drupal Responsive and off-canvas menu module

Versions: All versions from 0.0.0 before 4.4.4

Operating Systems: All operating systems running Drupal

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal sites with the Responsive and off-canvas menu module installed and enabled.

📦 What is this software?

Responsive And Off Canvas Menu by Responsive And Off Canvas Menu Project

View all CVEs affecting Responsive And Off Canvas Menu →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users gain access to sensitive administrative interfaces or confidential content, potentially leading to data exposure or privilege escalation.

🟠

Likely Case

Attackers access restricted content pages or functionality they shouldn't have permission to view, compromising data confidentiality.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to unauthorized viewing of some restricted content.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some knowledge of the site structure but is technically simple once identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.4

Vendor Advisory: https://www.drupal.org/sa-contrib-2024-030

Restart Required: No

Instructions:

1. Update the Responsive and off-canvas menu module to version 4.4.4 or later. 2. Clear Drupal caches. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable the module

all

Temporarily disable the vulnerable module until patching is possible

drush pm-disable responsive_off_canvas_menu

Implement additional access controls

all

Add custom access checks to affected routes

🧯 If You Can't Patch

Implement web application firewall rules to block suspicious access patterns
Increase logging and monitoring for unauthorized access attempts to restricted content

🔍 How to Verify

Check if Vulnerable:

Check if the Responsive and off-canvas menu module is installed and if its version is below 4.4.4

Check Version:

drush pm-list | grep responsive_off_canvas_menu

Verify Fix Applied:

Confirm module version is 4.4.4 or higher and test that restricted content cannot be accessed without proper permissions

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to restricted content paths
403 errors followed by successful 200 responses to same paths

Network Indicators:

Repeated requests to admin or restricted URLs from unauthenticated or low-privilege users

SIEM Query:

source="drupal_access_log" AND (status=200 AND uri CONTAINS "/admin" OR uri CONTAINS "/restricted") AND user_role="anonymous"

📊 Metadata

CVE ID: CVE-2024-13266

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-863

EPSS Score: 0.12% exploit probability (30.5th percentile)

Published: January 9, 2025

Last Updated: August 27, 2025

🔗 References

https://www.drupal.org/sa-contrib-2024-030 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13266, you might also want to check these: