CVE-2024-13191

MediumPublic PoC

Published: 08 January 2025

Published

08 January 2025

Modified

28 May 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0008 22.5th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13191 is a medium-severity Improper Access Control (CWE-284) vulnerability in Zerowdd Myblog. Its CVSS base score is 6.3 (Medium).

Operationally, ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates unrestricted file upload by requiring validation of uploaded files for dangerous types and content, addressing CWE-434.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations and restrictions on the upload function, countering improper access control (CWE-284) in uploadController.java.

SI-9 Information Input Restrictions good match

prevent

Restricts dangerous file inputs such as executable types in the manipulated file argument, preventing exploitation of the upload vulnerability.

NVD Description

A vulnerability, which was classified as critical, has been found in ZeroWdd myblog 1.0. This issue affects the function upload of the file src/main/java/com/wdd/myblog/controller/admin/uploadController.java. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely.…

The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2024-13191 is a vulnerability classified as critical in ZeroWdd myblog 1.0, affecting the upload function in the file src/main/java/com/wdd/myblog/controller/admin/uploadController.java. It enables unrestricted file upload through manipulation of the file argument and can be triggered remotely.

The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating that low-privileged remote attackers can exploit it with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, and is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

Advisories and further details are documented on VulDB (vuldb.com/?ctiid.290783, vuldb.com/?id.290783) and the project's GitHub repository (github.com/ZeroWdd/myblog/issues/3). The exploit has been publicly disclosed and may be used by attackers.

Details

CWE(s): CWE-284 CWE-434

Affected Products

zerowdd

myblog

1.0

CVEs Like This One

CVE-2024-13189Same product: Zerowdd Myblog

CVE-2024-13133Same vendor: Zerowdd

CVE-2024-13134Same vendor: Zerowdd

CVE-2026-7733Shared CWE-284, CWE-434

CVE-2025-1166Shared CWE-284, CWE-434

CVE-2026-2979Shared CWE-284, CWE-434

CVE-2025-7755Shared CWE-284, CWE-434

CVE-2025-7470Shared CWE-284, CWE-434

CVE-2025-2973Shared CWE-284, CWE-434

CVE-2026-3800Shared CWE-284, CWE-434

References

https://github.com/ZeroWdd/myblog/issues/3
Exploit, Issue Tracking · cna@vuldb.com
https://github.com/ZeroWdd/myblog/issues/3#issue-2759839215
Exploit, Issue Tracking · cna@vuldb.com
https://vuldb.com/?ctiid.290783
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.290783
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.469229
Third Party Advisory, VDB Entry · cna@vuldb.com
https://github.com/ZeroWdd/myblog/issues/3
Exploit, Issue Tracking · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/ZeroWdd/myblog/issues/3#issue-2759839215
Exploit, Issue Tracking · 134c704f-9b21-4f2e-91b3-4a467353bcc0