Cyber Resilience

CVE-2024-13201

MediumPublic PoC

Published: 09 January 2025

Published
09 January 2025
Modified
22 August 2025
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 22.4th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13201 is a medium-severity Improper Access Control (CWE-284) vulnerability in Wander-Chu Springboot-Blog. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13201 is an unrestricted file upload vulnerability in wander-chu SpringBoot-Blog version 1.0. It affects the upload function within the Admin Attachment Handler component, specifically the file src/main/java/com/my/blog/website/controller/admin/AttachtController.java. An attacker can manipulate the 'file' argument to upload arbitrary files, classified as critical with associated CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability has a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by an authenticated attacker with high privileges, such as an admin user. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling the upload of malicious files that could lead to further compromise depending on server configuration and file handling.

Advisories from VulDB and the project's GitHub repository (wander-chu/SpringBoot-Blog issues #6) detail the issue, including a public proof-of-concept exploit. The vendor was contacted early but has not responded or issued patches, leaving affected instances unmitigated.

The exploit has been publicly disclosed and may be actively used, with no evidence of vendor remediation as of the CVE publication on 2025-01-09.

EU & UK References

Vulnerability details

A vulnerability has been found in wander-chu SpringBoot-Blog 1.0 and classified as critical. This vulnerability affects the function upload of the file src/main/java/com/my/blog/website/controller/admin/AttachtController.java of the component Admin Attachment Handler. The manipulation of the argument file leads to unrestricted upload. The…

more

attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in admin component directly enables deployment of web shells for remote code execution and persistence.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13200Same product: Wander-Chu Springboot-Blog
CVE-2025-7210Shared CWE-284, CWE-434
CVE-2026-1813Shared CWE-284, CWE-434
CVE-2024-13144Shared CWE-284, CWE-434
CVE-2025-8255Shared CWE-284, CWE-434
CVE-2025-2219Shared CWE-284, CWE-434
CVE-2025-7413Shared CWE-284, CWE-434
CVE-2025-0341Shared CWE-284, CWE-434
CVE-2026-3748Shared CWE-284, CWE-434
CVE-2026-2666Shared CWE-284, CWE-434

Affected Assets

wander-chu
springboot-blog
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the manipulated 'file' argument in the Admin Attachment Handler to block unrestricted upload of arbitrary dangerous files.

prevent

Restricts file types, sizes, and characteristics allowable in the upload function of AttachtController.java to prevent exploitation of CWE-434.

prevent

Requires timely identification, reporting, and correction of the unrestricted upload flaw in src/main/java/com/my/blog/website/controller/admin/AttachtController.java.

References