CVE-2024-13133

Medium

Published: 05 January 2025

Published

05 January 2025

Modified

10 October 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0007 22.2th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13133 is a medium-severity Improper Access Control (CWE-284) vulnerability in Zerowdd Studentmanager. Its CVSS base score is 6.3 (Medium).

Operationally, ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and remediation of the critical unrestricted file upload flaw in StudentController.java, eliminating the vulnerability.

SI-10 Information Input Validation good match

prevent

Validates the manipulated 'file' argument in addStudent/editStudent functions to reject dangerous file types and contents, preventing unrestricted uploads.

SI-9 Information Input Restrictions good match

prevent

Restricts classes of file inputs to safe types only, blocking arbitrary file uploads via the vulnerable controller endpoints.

NVD Description

A vulnerability, which was classified as critical, has been found in ZeroWdd studentmanager 1.0. This issue affects the function addStudent/editStudent of the file src/main/Java/com/wdd/studentmanager/controller/StudentController. java. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated…

remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2024-13133 is a critical vulnerability in ZeroWdd studentmanager version 1.0, affecting the addStudent and editStudent functions within the file src/main/java/com/wdd/studentmanager/controller/StudentController.java. The flaw allows unrestricted file upload through manipulation of the 'file' argument, enabling attackers to upload arbitrary files remotely. It is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

An attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants limited impacts: low confidentiality (C:L) via potential access to uploaded files, low integrity (I:L) through malicious file modifications, and low availability (A:L) disruption. The exploit has been publicly disclosed, increasing the risk of remote initiation.

Advisories referenced in GitHub issues #16 (including comment #2755347097) and VulDB entries (ctiid.290207 and id.290207) detail the vulnerability but do not specify patches or mitigations in the available information. Security practitioners should review these sources for updates on remediation.

Details

CWE(s): CWE-284 CWE-434

Affected Products

zerowdd

studentmanager

1.0

CVEs Like This One

CVE-2024-13134Same product: Zerowdd Studentmanager

CVE-2024-13191Same vendor: Zerowdd

CVE-2024-13189Same vendor: Zerowdd

CVE-2026-7733Shared CWE-284, CWE-434

CVE-2025-1166Shared CWE-284, CWE-434

CVE-2026-2979Shared CWE-284, CWE-434

CVE-2025-7755Shared CWE-284, CWE-434

CVE-2025-7470Shared CWE-284, CWE-434

CVE-2025-2973Shared CWE-284, CWE-434

CVE-2026-3800Shared CWE-284, CWE-434

References

https://github.com/ZeroWdd/studentmanager/issues/16
Not Applicable · cna@vuldb.com
https://github.com/ZeroWdd/studentmanager/issues/16#issue-2755347097
Not Applicable · cna@vuldb.com
https://vuldb.com/?ctiid.290207
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.290207
Third Party Advisory, VDB Entry · cna@vuldb.com