CVE-2024-13110

CVE-2024-13110 is a problematic information disclosure vulnerability affecting Beijing Yunfan Internet Technology's Yunfan Learning Examination System version 1.9.2. The issue resides in an unknown function within the file src/main/java/com/yf/exam/modules/paper/controller/PaperController.java, part of the Exam Answer Handler component. Manipulation of this function results in the exposure of sensitive information, with the vulnerability carrying a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) and mapped to CWEs-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-284 (Improper Access Control).

The vulnerability can be exploited remotely by an authenticated attacker with low privileges (PR:L), requiring no user interaction and low attack complexity. Successful exploitation allows the attacker to obtain limited confidential information (C:L), such as potentially sensitive data handled by the Exam Answer Handler, without impacting integrity or availability.

Advisories published on VulDB (ctiid.289926, id.289926) and GitHub (qiutiandefeng/yfexam-exam issues/5 and #5#issue-2754675223) detail the vulnerability, confirming that a public exploit has been disclosed and may be actively used. No specific patches or mitigations are outlined in the available references; security practitioners should review the GitHub issue for potential workarounds or updates from the vendor.

The exploit's public disclosure increases the risk of immediate exploitation in unpatched environments running the affected system.