CVE-2024-13136

MediumPublic PoC

Published: 05 January 2025

Published

05 January 2025

Modified

10 January 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0009 26.0th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13136 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Wangl1989 Mysiteforme. Its CVSS base score is 6.3 (Medium).

Operationally, ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the improper input validation (CWE-20) that enables unsafe deserialization of remote rememberMe data in ShiroConfig.java.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the critical deserialization flaw in mysiteforme 1.0 to prevent remote exploitation.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning identifies the publicly disclosed deserialization vulnerability in the rememberMeManager function for patching.

NVD Description

A vulnerability was found in wangl1989 mysiteforme 1.0 and classified as critical. Affected by this issue is the function rememberMeManager of the file src/main/java/com/mysiteforme/admin/config/ShiroConfig.java. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed…

to the public and may be used.

Deeper analysisAI

CVE-2024-13136 is a critical vulnerability in wangl1989 mysiteforme version 1.0, affecting the rememberMeManager function in the file src/main/java/com/mysiteforme/admin/config/ShiroConfig.java. The flaw stems from improper input validation (CWE-20) enabling deserialization (CWE-502), which can be manipulated remotely.

An attacker with low privileges can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation results in low impacts to confidentiality, integrity, and availability, as reflected in its CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The exploit has been publicly disclosed and may be used.

Advisories reference GitHub issues at https://github.com/wangl1989/mysiteforme/issues/52 and https://github.com/wangl1989/mysiteforme/issues/52#issue-2757682365, along with VulDB entries including https://vuldb.com/?ctiid.290210, https://vuldb.com/?id.290210, and https://vuldb.com/?submit.468391, where further details on the issue are documented.

Details

CWE(s): CWE-20 CWE-502

Affected Products

wangl1989

mysiteforme

1.0

CVEs Like This One

CVE-2024-57766Same product: Wangl1989 Mysiteforme

CVE-2024-57763Same product: Wangl1989 Mysiteforme

CVE-2024-57762Same product: Wangl1989 Mysiteforme

CVE-2024-57764Same product: Wangl1989 Mysiteforme

CVE-2024-57767Same product: Wangl1989 Mysiteforme

CVE-2025-26136Same product: Wangl1989 Mysiteforme

CVE-2024-13139Same product: Wangl1989 Mysiteforme

CVE-2024-13138Same product: Wangl1989 Mysiteforme

CVE-2024-57765Same product: Wangl1989 Mysiteforme

CVE-2025-15438Shared CWE-20, CWE-502

References

https://github.com/wangl1989/mysiteforme/issues/52
Exploit, Issue Tracking · cna@vuldb.com
https://github.com/wangl1989/mysiteforme/issues/52#issue-2757682365
Exploit, Issue Tracking · cna@vuldb.com
https://vuldb.com/?ctiid.290210
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.290210
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.468391
Third Party Advisory, VDB Entry · cna@vuldb.com