CVE-2024-13201
Published: 09 January 2025
Description
A vulnerability has been found in wander-chu SpringBoot-Blog 1.0 and classified as critical. This vulnerability affects the function upload of the file src/main/java/com/my/blog/website/controller/admin/AttachtController.java of the component Admin Attachment Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2024-13201 is an unrestricted file upload vulnerability in wander-chu SpringBoot-Blog version 1.0. It affects the upload function within the Admin Attachment Handler component, specifically the file src/main/java/com/my/blog/website/controller/admin/AttachtController.java. An attacker can manipulate the 'file' argument to upload arbitrary files, classified as critical with associated CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability has a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by an authenticated attacker with high privileges, such as an admin user. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling the upload of malicious files that could lead to further compromise depending on server configuration and file handling.
Advisories from VulDB and the project's GitHub repository (wander-chu/SpringBoot-Blog issues #6) detail the issue, including a public proof-of-concept exploit. The vendor was contacted early but has not responded or issued patches, leaving affected instances unmitigated.
The exploit has been publicly disclosed and may be actively used, with no evidence of vendor remediation as of the CVE publication on 2025-01-09.
Details
- CWE(s)