CVE-2024-13145
Published: 06 January 2025
Description
A vulnerability classified as critical was found in zhenfeng13 My-Blog 1.0. Affected by this vulnerability is the function upload of the file src/main/java/com/site/blog/my/core/controller/admin/uploadController. java. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2024-13145 is a critical vulnerability in zhenfeng13 My-Blog version 1.0, affecting the upload function within the file src/main/java/com/site/blog/my/core/controller/admin/uploadController.java. It enables unrestricted file upload through manipulation of the 'file' argument, as classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-06.
A remote attacker with low privileges, such as administrative access, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling malicious file uploads that could lead to further compromise depending on the uploaded content.
Advisories on GitHub (issues/141) and VulDB (ctiid.290233, id.290233) detail the vulnerability, confirming remote exploitability and public disclosure of a proof-of-concept that may be actively used by attackers. No specific patches are referenced in the available information.
Details
- CWE(s)