CVE-2024-13285
📋 TL;DR
This vulnerability in Drupal's wkhtmltopdf module allows remote code execution through improper input validation. It affects Drupal sites using the wkhtmltopdf module to generate PDFs. Attackers can exploit this without authentication to execute arbitrary commands on the server.
💻 Affected Systems
- Drupal wkhtmltopdf module
📦 What is this software?
Wkhtmltopdf by Wkhtmltopdf
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, access sensitive data, install malware, or pivot to other systems.
Likely Case
Remote code execution leading to data theft, website defacement, or installation of backdoors for persistent access.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though risk remains elevated due to the nature of the vulnerability.
🎯 Exploit Status
The vulnerability appears to be in command injection through wkhtmltopdf parameters, making exploitation relatively straightforward for attackers familiar with the module.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Drupal security advisory for specific version
Vendor Advisory: https://www.drupal.org/sa-contrib-2024-049
Restart Required: No
Instructions:
1. Visit the Drupal security advisory page. 2. Download and install the patched version of the wkhtmltopdf module. 3. Clear Drupal caches. 4. Verify the module is updated in Drupal's module administration page.
🔧 Temporary Workarounds
Disable wkhtmltopdf module
allTemporarily disable the vulnerable module until patching is possible
drush pm-disable wkhtmltopdf
Restrict PDF generation access
allLimit access to PDF generation functionality to authenticated users only
🧯 If You Can't Patch
- Implement strict input validation for all wkhtmltopdf parameters
- Deploy web application firewall rules to block suspicious PDF generation requests
🔍 How to Verify
Check if Vulnerable:
Check Drupal's module administration page for wkhtmltopdf module version and compare with patched version in security advisoryCheck Version:
drush pm-list --fields=name,version | grep wkhtmltopdfVerify Fix Applied:
Verify the module version matches or exceeds the patched version listed in the security advisory📡 Detection & Monitoring
Log Indicators:
- Unusual PDF generation requests with suspicious parameters
- Multiple failed PDF generation attempts
- Commands executed via wkhtmltopdf with unusual arguments
Network Indicators:
- Spike in requests to PDF generation endpoints
- Unusual outbound connections from web server following PDF requests
SIEM Query:
source="drupal_access_log" AND (uri="*/pdf*" OR uri="*/wkhtmltopdf*") AND (status=500 OR parameters CONTAINS suspicious_patterns)