CVE-2024-13210
Published: 09 January 2025
Description
A vulnerability was found in donglight bookstore电商书城系统说明 1.0. It has been declared as critical. Affected by this vulnerability is the function uploadPicture of the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java. The manipulation of the argument pictureFile leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2024-13210 is a vulnerability in the donglight bookstore电商书城系统说明 version 1.0, classified as critical despite a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L). It affects the uploadPicture function in the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController.java, where manipulation of the pictureFile argument enables unrestricted file upload. The issue is linked to CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
The vulnerability is remotely exploitable over the network with low attack complexity but requires high privileges (PR:H), such as administrative access. An attacker could upload arbitrary files, potentially leading to low-level impacts on confidentiality, integrity, and availability, depending on the uploaded content and server configuration.
Details on the vulnerability, including the disclosed exploit, are available in GitHub issues at https://github.com/donglight/bookstore/issues/10 and https://github.com/donglight/bookstore/issues/10#issue-2760923048, as well as VulDB entries like https://vuldb.com/?id.290815. No specific patch or mitigation steps are outlined in the initial disclosure.
The exploit has been publicly disclosed and may be used by attackers. The CVE was published on 2025-01-09.
Details
- CWE(s)