Cyber Resilience

CVE-2024-13110

MediumPublic PoC

Published: 02 January 2025

Published
02 January 2025
Modified
25 August 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 50.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13110 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Kaoshifeng Yunfan Learning Examination System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-13 (Monitoring for Information Disclosure).

Deeper analysis

CVE-2024-13110 is a problematic information disclosure vulnerability affecting Beijing Yunfan Internet Technology's Yunfan Learning Examination System version 1.9.2. The issue resides in an unknown function within the file src/main/java/com/yf/exam/modules/paper/controller/PaperController.java, part of the Exam Answer Handler component. Manipulation of this function results in the exposure of sensitive information, with the vulnerability carrying a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) and mapped to CWEs-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-284 (Improper Access Control).

The vulnerability can be exploited remotely by an authenticated attacker with low privileges (PR:L), requiring no user interaction and low attack complexity. Successful exploitation allows the attacker to obtain limited confidential information (C:L), such as potentially sensitive data handled by the Exam Answer Handler, without impacting integrity or availability.

Advisories published on VulDB (ctiid.289926, id.289926) and GitHub (qiutiandefeng/yfexam-exam issues/5 and #5#issue-2754675223) detail the vulnerability, confirming that a public exploit has been disclosed and may be actively used. No specific patches or mitigations are outlined in the available references; security practitioners should review the GitHub issue for potential workarounds or updates from the vendor.

The exploit's public disclosure increases the risk of immediate exploitation in unpatched environments running the affected system.

EU & UK References

Vulnerability details

A vulnerability classified as problematic has been found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Affected is an unknown function of the file src/main/java/com/yf/exam/modules/paper/controller/PaperController.java, of the component Exam Answer Handler. The manipulation leads to information disclosure. It…

more

is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Remote exploitation of public-facing web app (PaperController) directly enables unauthorized data access from the local system via the Exam Answer Handler.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13111Same product: Kaoshifeng Yunfan Learning Examination System
CVE-2026-5571Shared CWE-200, CWE-284
CVE-2025-31125Shared CWE-200, CWE-284
CVE-2026-32938Shared CWE-200, CWE-284
CVE-2025-30208Shared CWE-200, CWE-284
CVE-2026-2055Shared CWE-200, CWE-284
CVE-2024-13600Shared CWE-200
CVE-2024-55272Shared CWE-200
CVE-2026-2054Shared CWE-200, CWE-284
CVE-2026-5585Shared CWE-200, CWE-284

Affected Assets

kaoshifeng
yunfan learning examination system
1.9.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved access control policies to prevent low-privilege users from exploiting the improper access control in PaperController.java leading to sensitive exam answer disclosure.

prevent

Identifies, reports, and corrects the specific flaw in the Exam Answer Handler component that enables remote information disclosure.

detect

Monitors for unauthorized disclosure attempts targeting the vulnerable function in PaperController.java, enabling early detection of exploitation.

References