CVE-2024-13212
Published: 09 January 2025
Description
A vulnerability classified as critical has been found in SingMR HouseRent 1.0. This affects the function singleUpload/upload of the file src/main/java/com/house/wym/controller/AddHouseController.java. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2024-13212 is a critical vulnerability in SingMR HouseRent 1.0, affecting the singleUpload/upload function within the file src/main/java/com/house/wym/controller/AddHouseController.java. The issue arises from unrestricted file upload due to manipulation of the 'file' argument, as classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-09.
The vulnerability can be exploited remotely by an authenticated attacker with low privileges (PR:L), requiring no user interaction and only low attack complexity over the network. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through unrestricted file uploads, potentially enabling attackers to upload malicious files to the server.
Advisories and references, including GitHub issues at https://github.com/SingMR/HouseRent/issues/13 and VulDB entries (e.g., https://vuldb.com/?ctiid.290817), document the vulnerability. The exploit has been publicly disclosed and may be used, with no specific patches or mitigations detailed in the available information.
Details
- CWE(s)