CVE-2024-13134
Published: 05 January 2025
Description
A vulnerability, which was classified as critical, was found in ZeroWdd studentmanager 1.0. Affected is the function addTeacher/editTeacher of the file src/main/Java/com/wdd/studentmanager/controller/TeacherController. java. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2024-13134 is a critical vulnerability in ZeroWdd studentmanager 1.0, affecting the addTeacher and editTeacher functions in the file src/main/java/com/wdd/studentmanager/controller/TeacherController.java. It enables unrestricted file upload through manipulation of the 'file' argument and is associated with CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue was published on 2025-01-05.
The vulnerability is exploitable remotely by low-privileged users (PR:L) with no user interaction required (UI:N) and low attack complexity (AC:L), as per its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Attackers can achieve low-level impacts on confidentiality, integrity, and availability via the file upload mechanism.
Details on the exploit are publicly disclosed in GitHub issue #16 (including comment #2755347097) of the ZeroWdd/studentmanager repository and documented on VulDB (CTI-ID 290208, ID 290208, submit ID 467916). The references indicate the exploit may be used but do not specify patches or mitigations.
Details
- CWE(s)