CVE-2024-13111
Published: 02 January 2025
Description
A vulnerability classified as critical was found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Affected by this vulnerability is an unknown functionality of the file src/main/java/com/yf/exam/modules/sys/user/controller/SysUserControl of the component JWT Token Handler. The manipulation leads to improper authentication. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2024-13111 is a critical improper authentication vulnerability (CWE-287) affecting Beijing Yunfan Internet Technology Yunfan Learning Examination System version 1.9.2. The issue resides in an unknown functionality within the JWT Token Handler component, specifically the file src/main/java/com/yf/exam/modules/sys/user/controller/SysUserControl. It has a CVSS v3.1 base score of 5.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating medium severity despite the critical classification, and was published on 2025-01-02.
Remote attackers with no privileges required can exploit this vulnerability through manipulation leading to improper authentication. The attack complexity is high, and exploitation is considered difficult, but it can be launched remotely with low impacts on confidentiality, integrity, and availability.
Advisories and details are available via VulDB entries (ctiid.289927, id.289927, submit.467701) and GitHub issues in the qiutiandefeng/yfexam-exam repository (issues/6 and issue comment #2754680012), where the exploit has been publicly disclosed and may be used. No specific patch or mitigation details are outlined in the primary sources.
Details
- CWE(s)