Cyber Posture

CVE-2024-13144

MediumPublic PoC

Published: 06 January 2025

Published
06 January 2025
Modified
22 August 2025
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0008 22.5th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13144 is a medium-severity Improper Access Control (CWE-284) vulnerability in Zhenfeng13 My-Blog. Its CVSS base score is 6.3 (Medium).

Operationally, ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents exploitation by validating the content, type, and format of files uploaded via the editormd-image-file argument in the vulnerable uploadFileByEditomd function.

SI-9 Information Input Restrictions good match
prevent

Restricts file uploads to the BlogController endpoint to only permitted types and formats, blocking unrestricted arbitrary file uploads.

SI-2 Flaw Remediation good match
prevent

Mandates remediation of the specific flaw in src/main/java/com/site/blog/my/core/controller/admin/BlogController.java through patching or code correction.

NVD Description

A vulnerability classified as critical has been found in zhenfeng13 My-Blog 1.0. Affected is the function uploadFileByEditomd of the file src/main/java/com/site/blog/my/core/controller/admin/BlogController.java. The manipulation of the argument editormd-image-file leads to unrestricted upload. It is possible to launch the attack remotely. The…

more

exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2024-13144 is a vulnerability classified as critical in zhenfeng13 My-Blog 1.0, affecting the uploadFileByEditomd function within the file src/main/java/com/site/blog/my/core/controller/admin/BlogController.java. The issue stems from manipulation of the editormd-image-file argument, enabling unrestricted file upload (CWE-284, CWE-434). It has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-06.

A remote attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation allows arbitrary file uploads, potentially compromising confidentiality, integrity, and availability to a low degree. The exploit has been disclosed publicly and may be used.

Advisories and discussions on mitigation are available in GitHub issues such as https://github.com/ZHENFENG13/My-Blog/issues/140 and VulDB entries including https://vuldb.com/?id.290232.

Details

CWE(s)
CWE-284CWE-434

Affected Products

zhenfeng13
my-blog
1.0

CVEs Like This One

CVE-2024-13145Same product: Zhenfeng13 My-Blog
CVE-2024-13133Shared CWE-284, CWE-434
CVE-2026-7733Shared CWE-284, CWE-434
CVE-2025-1166Shared CWE-284, CWE-434
CVE-2026-2979Shared CWE-284, CWE-434
CVE-2025-7755Shared CWE-284, CWE-434
CVE-2025-7470Shared CWE-284, CWE-434
CVE-2025-2973Shared CWE-284, CWE-434
CVE-2026-3800Shared CWE-284, CWE-434
CVE-2026-4221Shared CWE-284, CWE-434

References