CVE-2024-13110
Published: 02 January 2025
Summary
CVE-2024-13110 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Kaoshifeng Yunfan Learning Examination System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-13 (Monitoring for Information Disclosure).
Deeper analysis
CVE-2024-13110 is a problematic information disclosure vulnerability affecting Beijing Yunfan Internet Technology's Yunfan Learning Examination System version 1.9.2. The issue resides in an unknown function within the file src/main/java/com/yf/exam/modules/paper/controller/PaperController.java, part of the Exam Answer Handler component. Manipulation of this function results in the exposure of sensitive information, with the vulnerability carrying a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) and mapped to CWEs-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-284 (Improper Access Control).
The vulnerability can be exploited remotely by an authenticated attacker with low privileges (PR:L), requiring no user interaction and low attack complexity. Successful exploitation allows the attacker to obtain limited confidential information (C:L), such as potentially sensitive data handled by the Exam Answer Handler, without impacting integrity or availability.
Advisories published on VulDB (ctiid.289926, id.289926) and GitHub (qiutiandefeng/yfexam-exam issues/5 and #5#issue-2754675223) detail the vulnerability, confirming that a public exploit has been disclosed and may be actively used. No specific patches or mitigations are outlined in the available references; security practitioners should review the GitHub issue for potential workarounds or updates from the vendor.
The exploit's public disclosure increases the risk of immediate exploitation in unpatched environments running the affected system.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51351
Vulnerability details
A vulnerability classified as problematic has been found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Affected is an unknown function of the file src/main/java/com/yf/exam/modules/paper/controller/PaperController.java, of the component Exam Answer Handler. The manipulation leads to information disclosure. It…
more
is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote exploitation of public-facing web app (PaperController) directly enables unauthorized data access from the local system via the Exam Answer Handler.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved access control policies to prevent low-privilege users from exploiting the improper access control in PaperController.java leading to sensitive exam answer disclosure.
Identifies, reports, and corrects the specific flaw in the Exam Answer Handler component that enables remote information disclosure.
Monitors for unauthorized disclosure attempts targeting the vulnerable function in PaperController.java, enabling early detection of exploitation.