Cyber Resilience

CVE-2024-13134

Medium

Published: 05 January 2025

Published
05 January 2025
Modified
10 October 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 28.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2024-13134 is a medium-severity Improper Access Control (CWE-284) vulnerability in Zerowdd Studentmanager. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13134 is a critical vulnerability in ZeroWdd studentmanager 1.0, affecting the addTeacher and editTeacher functions in the file src/main/java/com/wdd/studentmanager/controller/TeacherController.java. It enables unrestricted file upload through manipulation of the 'file' argument and is associated with CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue was published on 2025-01-05.

The vulnerability is exploitable remotely by low-privileged users (PR:L) with no user interaction required (UI:N) and low attack complexity (AC:L), as per its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Attackers can achieve low-level impacts on confidentiality, integrity, and availability via the file upload mechanism.

Details on the exploit are publicly disclosed in GitHub issue #16 (including comment #2755347097) of the ZeroWdd/studentmanager repository and documented on VulDB (CTI-ID 290208, ID 290208, submit ID 467916). The references indicate the exploit may be used but do not specify patches or mitigations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in ZeroWdd studentmanager 1.0. Affected is the function addTeacher/editTeacher of the file src/main/Java/com/wdd/studentmanager/controller/TeacherController. java. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack…

more

remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload (CWE-434) in public web app directly enables remote exploitation (T1190) and web shell deployment (T1100/T1505.003) via malicious file upload.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13133Same product: Zerowdd Studentmanager
CVE-2024-13191Same vendor: Zerowdd
CVE-2026-0643Shared CWE-284, CWE-434
CVE-2026-0566Shared CWE-284, CWE-434
CVE-2026-0547Shared CWE-284, CWE-434
CVE-2024-13189Same vendor: Zerowdd
CVE-2026-2550Shared CWE-284, CWE-434
CVE-2025-2952Shared CWE-284, CWE-434
CVE-2025-2219Shared CWE-284, CWE-434
CVE-2026-2133Shared CWE-284, CWE-434

Affected Assets

zerowdd
studentmanager
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the manipulated 'file' argument in TeacherController addTeacher/editTeacher functions to prevent unrestricted upload of dangerous files.

prevent

Requires identification, reporting, and correction of the specific unrestricted file upload flaw in the application code.

prevent

Enforces restrictions on file types, sizes, and other attributes to block unrestricted uploads of dangerous file types via the vulnerable controller.

References