CVE-2024-13134
Published: 05 January 2025
Summary
CVE-2024-13134 is a medium-severity Improper Access Control (CWE-284) vulnerability in Zerowdd Studentmanager. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13134 is a critical vulnerability in ZeroWdd studentmanager 1.0, affecting the addTeacher and editTeacher functions in the file src/main/java/com/wdd/studentmanager/controller/TeacherController.java. It enables unrestricted file upload through manipulation of the 'file' argument and is associated with CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue was published on 2025-01-05.
The vulnerability is exploitable remotely by low-privileged users (PR:L) with no user interaction required (UI:N) and low attack complexity (AC:L), as per its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Attackers can achieve low-level impacts on confidentiality, integrity, and availability via the file upload mechanism.
Details on the exploit are publicly disclosed in GitHub issue #16 (including comment #2755347097) of the ZeroWdd/studentmanager repository and documented on VulDB (CTI-ID 290208, ID 290208, submit ID 467916). The references indicate the exploit may be used but do not specify patches or mitigations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51367
Vulnerability details
A vulnerability, which was classified as critical, was found in ZeroWdd studentmanager 1.0. Affected is the function addTeacher/editTeacher of the file src/main/Java/com/wdd/studentmanager/controller/TeacherController. java. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack…
more
remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload (CWE-434) in public web app directly enables remote exploitation (T1190) and web shell deployment (T1100/T1505.003) via malicious file upload.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates the manipulated 'file' argument in TeacherController addTeacher/editTeacher functions to prevent unrestricted upload of dangerous files.
Requires identification, reporting, and correction of the specific unrestricted file upload flaw in the application code.
Enforces restrictions on file types, sizes, and other attributes to block unrestricted uploads of dangerous file types via the vulnerable controller.