CVE-2024-13298 – This Cross-Site Scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2024-13298?

CVE-2024-13298 has a CVSS score of 4.8 (MEDIUM). This Cross-Site Scripting (XSS) vulnerability in Drupal's Tarte au Citron module allows attackers to inject malicious scripts into web pages viewed by other users. It affects Drupal sites using Tarte au Citron versions 2.0.0 through 2.0.4. Site administrators and users who view compromised pages are at risk.

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in Drupal's Tarte au Citron module allows attackers to inject malicious scripts into web pages viewed by other users. It affects Drupal sites using Tarte au Citron versions 2.0.0 through 2.0.4. Site administrators and users who view compromised pages are at risk.

💻 Affected Systems

Products:

Drupal Tarte au Citron module

Versions: 2.0.0 through 2.0.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal sites with the Tarte au Citron module enabled. The module must be configured and in use.

📦 What is this software?

Tarte Au Citron by Kleegroup

View all CVEs affecting Tarte Au Citron →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect users to malicious sites, or deface the website.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies or credentials, potentially compromising user accounts.

🟢

If Mitigated

With proper input validation and output encoding, the attack surface is reduced, but the vulnerability still exists in the codebase.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity. The advisory doesn't specify authentication requirements, but XSS often requires some user interaction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.5

Vendor Advisory: https://www.drupal.org/sa-contrib-2024-064

Restart Required: No

Instructions:

1. Update the Tarte au Citron module to version 2.0.5 via Drupal's update manager or Composer. 2. Clear Drupal caches. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable Tarte au Citron module

linux

Temporarily disable the vulnerable module until patching is possible

drush pm:disable tarte_au_citron

Implement Content Security Policy

all

Add CSP headers to mitigate XSS impact by restricting script execution

🧯 If You Can't Patch

Implement web application firewall rules to block XSS payloads
Enable Drupal's built-in XSS protection features and ensure input validation is enforced

🔍 How to Verify

Check if Vulnerable:

Check the Tarte au Citron module version in Drupal's Extend page or via drush: drush pm:list | grep tarte_au_citron

Check Version:

drush pm:list --fields=name,version | grep tarte_au_citron

Verify Fix Applied:

Confirm the module version is 2.0.5 or higher and test for XSS payloads in affected fields

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in request logs
Multiple requests with script tags or event handlers

Network Indicators:

HTTP requests containing <script> tags or JavaScript event handlers like onload, onerror

SIEM Query:

web_requests WHERE url_parameters CONTAINS '<script>' OR url_parameters CONTAINS 'javascript:'

📊 Metadata

CVE ID: CVE-2024-13298

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.08% exploit probability (23th percentile)

Published: January 9, 2025

Last Updated: September 2, 2025

🔗 References

https://www.drupal.org/sa-contrib-2024-064 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13298, you might also want to check these: