CVE-2024-13134

Medium

Published: 05 January 2025

Published

05 January 2025

Modified

10 October 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0014 33.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13134 is a medium-severity Improper Access Control (CWE-284) vulnerability in Zerowdd Studentmanager. Its CVSS base score is 6.3 (Medium).

Operationally, ranked at the 33.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates the manipulated 'file' argument in TeacherController addTeacher/editTeacher functions to prevent unrestricted upload of dangerous files.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of the specific unrestricted file upload flaw in the application code.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on file types, sizes, and other attributes to block unrestricted uploads of dangerous file types via the vulnerable controller.

NVD Description

A vulnerability, which was classified as critical, was found in ZeroWdd studentmanager 1.0. Affected is the function addTeacher/editTeacher of the file src/main/Java/com/wdd/studentmanager/controller/TeacherController. java. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack…

remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2024-13134 is a critical vulnerability in ZeroWdd studentmanager 1.0, affecting the addTeacher and editTeacher functions in the file src/main/java/com/wdd/studentmanager/controller/TeacherController.java. It enables unrestricted file upload through manipulation of the 'file' argument and is associated with CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue was published on 2025-01-05.

The vulnerability is exploitable remotely by low-privileged users (PR:L) with no user interaction required (UI:N) and low attack complexity (AC:L), as per its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Attackers can achieve low-level impacts on confidentiality, integrity, and availability via the file upload mechanism.

Details on the exploit are publicly disclosed in GitHub issue #16 (including comment #2755347097) of the ZeroWdd/studentmanager repository and documented on VulDB (CTI-ID 290208, ID 290208, submit ID 467916). The references indicate the exploit may be used but do not specify patches or mitigations.

Details

CWE(s): CWE-284 CWE-434

Affected Products

zerowdd

studentmanager

1.0

CVEs Like This One

CVE-2024-13133Same product: Zerowdd Studentmanager

CVE-2024-13191Same vendor: Zerowdd

CVE-2024-13189Same vendor: Zerowdd

CVE-2026-7733Shared CWE-284, CWE-434

CVE-2025-1166Shared CWE-284, CWE-434

CVE-2026-2979Shared CWE-284, CWE-434

CVE-2025-7755Shared CWE-284, CWE-434

CVE-2025-7470Shared CWE-284, CWE-434

CVE-2025-2973Shared CWE-284, CWE-434

CVE-2026-3800Shared CWE-284, CWE-434

References

https://github.com/ZeroWdd/studentmanager/issues/16
Not Applicable · cna@vuldb.com
https://github.com/ZeroWdd/studentmanager/issues/16#issue-2755347097
Not Applicable · cna@vuldb.com
https://vuldb.com/?ctiid.290208
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.290208
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.467916
Third Party Advisory, VDB Entry · cna@vuldb.com