CVE-2024-13145

MediumPublic PoC

Published: 06 January 2025

Published

06 January 2025

Modified

22 August 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0008 22.5th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13145 is a medium-severity Improper Access Control (CWE-284) vulnerability in Zhenfeng13 My-Blog. Its CVSS base score is 6.3 (Medium).

Operationally, ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Mandates validation of all information inputs, including the manipulated 'file' argument, to block unrestricted uploads of dangerous file types.

SI-9 Information Input Restrictions good match

prevent

Restricts types and quantities of inputs to the system, directly preventing unrestricted file uploads through the vulnerable upload function.

SI-3 Malicious Code Protection good match

preventdetect

Deploys malicious code protection at system entry points to detect and eradicate dangerous files uploaded via the unrestricted upload vulnerability.

NVD Description

A vulnerability classified as critical was found in zhenfeng13 My-Blog 1.0. Affected by this vulnerability is the function upload of the file src/main/java/com/site/blog/my/core/controller/admin/uploadController. java. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely.…

The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2024-13145 is a critical vulnerability in zhenfeng13 My-Blog version 1.0, affecting the upload function within the file src/main/java/com/site/blog/my/core/controller/admin/uploadController.java. It enables unrestricted file upload through manipulation of the 'file' argument, as classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-06.

A remote attacker with low privileges, such as administrative access, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling malicious file uploads that could lead to further compromise depending on the uploaded content.

Advisories on GitHub (issues/141) and VulDB (ctiid.290233, id.290233) detail the vulnerability, confirming remote exploitability and public disclosure of a proof-of-concept that may be actively used by attackers. No specific patches are referenced in the available information.

Details

CWE(s): CWE-284 CWE-434

Affected Products

zhenfeng13

my-blog

1.0

CVEs Like This One

CVE-2024-13144Same product: Zhenfeng13 My-Blog

CVE-2024-13133Shared CWE-284, CWE-434

CVE-2026-7733Shared CWE-284, CWE-434

CVE-2025-1166Shared CWE-284, CWE-434

CVE-2026-2979Shared CWE-284, CWE-434

CVE-2025-7755Shared CWE-284, CWE-434

CVE-2025-7470Shared CWE-284, CWE-434

CVE-2025-2973Shared CWE-284, CWE-434

CVE-2026-3800Shared CWE-284, CWE-434

CVE-2026-4221Shared CWE-284, CWE-434

References

https://github.com/ZHENFENG13/My-Blog/issues/141
Exploit, Issue Tracking · cna@vuldb.com
https://github.com/ZHENFENG13/My-Blog/issues/141#issue-2759820153
Exploit, Issue Tracking · cna@vuldb.com
https://vuldb.com/?ctiid.290233
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.290233
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.469221
Third Party Advisory, VDB Entry · cna@vuldb.com