CVE-2024-13191
Published: 08 January 2025
Description
A vulnerability, which was classified as critical, has been found in ZeroWdd myblog 1.0. This issue affects the function upload of the file src/main/java/com/wdd/myblog/controller/admin/uploadController.java. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2024-13191 is a vulnerability classified as critical in ZeroWdd myblog 1.0, affecting the upload function in the file src/main/java/com/wdd/myblog/controller/admin/uploadController.java. It enables unrestricted file upload through manipulation of the file argument and can be triggered remotely.
The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating that low-privileged remote attackers can exploit it with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, and is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
Advisories and further details are documented on VulDB (vuldb.com/?ctiid.290783, vuldb.com/?id.290783) and the project's GitHub repository (github.com/ZeroWdd/myblog/issues/3). The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)