CVE-2024-13287 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2024-13287?

CVE-2024-13287 has a CVSS score of 5.4 (MEDIUM). This vulnerability allows attackers to inject malicious scripts into web pages generated by Drupal Views SVG Animation module, which could execute in users' browsers. It affects all Drupal sites using this module from initial release through version 1.0.0. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into web pages generated by Drupal Views SVG Animation module, which could execute in users' browsers. It affects all Drupal sites using this module from initial release through version 1.0.0. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

Drupal Views SVG Animation

Versions: 0.0.0 through 1.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Drupal CMS with Views SVG Animation module installed and enabled.

📦 What is this software?

Views Svg Animation by Views Svg Animation Project

View all CVEs affecting Views Svg Animation →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals administrator session cookies, gains full control of Drupal site, defaces website, or installs backdoors.

🟠

Likely Case

Attacker steals user session cookies, performs unauthorized actions as authenticated users, or redirects to phishing sites.

🟢

If Mitigated

Limited impact if input validation and output encoding are properly implemented elsewhere in the application stack.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity once the injection point is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.1

Vendor Advisory: https://www.drupal.org/sa-contrib-2024-051

Restart Required: No

Instructions:

1. Update Drupal Views SVG Animation module to version 1.0.1 via Drupal's update manager. 2. Clear Drupal caches. 3. Verify the module version in Extend page.

🔧 Temporary Workarounds

Disable Views SVG Animation Module

all

Temporarily disable the vulnerable module until patching is possible.

drush pm-disable views_svg_animation

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources.

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or configure in Drupal's settings.php

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads
Restrict module access to trusted users only via Drupal permissions

🔍 How to Verify

Check if Vulnerable:

Check module version at /admin/modules or run: drush pm-list | grep views_svg_animation

Check Version:

drush pm-list --fields=name,version | grep views_svg_animation

Verify Fix Applied:

Confirm module version is 1.0.1 or higher via Drupal UI or drush command

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests with script tags or JavaScript in parameters
Multiple failed login attempts following suspicious page views

Network Indicators:

HTTP requests containing <script>, javascript:, or eval() in URL parameters

SIEM Query:

web.url:*<script>* OR web.url:*javascript:* OR web.url:*eval(*

📊 Metadata

CVE ID: CVE-2024-13287

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.08% exploit probability (22.9th percentile)

Published: January 9, 2025

Last Updated: September 2, 2025

🔗 References

https://www.drupal.org/sa-contrib-2024-051 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13287, you might also want to check these: