CVE-2024-13302 – This CVE describes an incorrect authorization v... (How to Fix)

Q: What is the severity of CVE-2024-13302?

CVE-2024-13302 has a CVSS score of 5.3 (MEDIUM). This CVE describes an incorrect authorization vulnerability in Drupal's Pages Restriction Access module that allows attackers to bypass access controls through forceful browsing. It affects Drupal sites using the Pages Restriction Access module from version 2.0.0 through 2.0.2. Attackers can potentially access restricted pages they shouldn't have permission to view.

📋 TL;DR

This CVE describes an incorrect authorization vulnerability in Drupal's Pages Restriction Access module that allows attackers to bypass access controls through forceful browsing. It affects Drupal sites using the Pages Restriction Access module from version 2.0.0 through 2.0.2. Attackers can potentially access restricted pages they shouldn't have permission to view.

💻 Affected Systems

Products:

Drupal Pages Restriction Access module

Versions: from 2.0.0 before 2.0.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal sites with the Pages Restriction Access module installed and enabled.

📦 What is this software?

Pages Restriction Access by Ciandt

View all CVEs affecting Pages Restriction Access →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to sensitive administrative pages, confidential content, or user data that should be restricted.

🟠

Likely Case

Unauthorized users access moderately sensitive content pages that should be restricted to specific roles or users.

🟢

If Mitigated

Limited exposure if only non-sensitive pages are protected by the module or if additional access controls are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some knowledge of the site structure but is technically simple once identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.3

Vendor Advisory: https://www.drupal.org/sa-contrib-2024-068

Restart Required: No

Instructions:

1. Update the Pages Restriction Access module to version 2.0.3 or later via Drupal's update manager. 2. Clear Drupal caches after update. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable Pages Restriction Access Module

all

Temporarily disable the vulnerable module until patched

drush pm:disable pages_restriction_access

Implement Additional Access Controls

all

Add Drupal permissions or custom access checks to protected pages

🧯 If You Can't Patch

Implement web application firewall rules to block access patterns indicative of forceful browsing
Monitor access logs for unauthorized attempts to access restricted page URLs

🔍 How to Verify

Check if Vulnerable:

Check if Pages Restriction Access module is installed and version is between 2.0.0 and 2.0.2

Check Version:

drush pm:list | grep pages_restriction_access

Verify Fix Applied:

Verify module version is 2.0.3 or later and test access to previously restricted pages

📡 Detection & Monitoring

Log Indicators:

Multiple 403 errors followed by successful 200 responses to same restricted URLs
Unauthorized users accessing URLs with restricted patterns

Network Indicators:

Repeated requests to known restricted page paths from unauthorized IPs

SIEM Query:

web_access_logs status_code=200 AND url_path CONTAINS '/restricted-page' AND user_role NOT IN ('admin','authorized_role')

📊 Metadata

CVE ID: CVE-2024-13302

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-863

EPSS Score: 0.12% exploit probability (30.5th percentile)

Published: January 9, 2025

Last Updated: September 2, 2025

🔗 References

https://www.drupal.org/sa-contrib-2024-068 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13302, you might also want to check these: