Cyber Resilience

CVE-2024-13210

MediumPublic PoC

Published: 09 January 2025

Published
09 January 2025
Modified
22 August 2025
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 22.4th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13210 is a medium-severity Improper Access Control (CWE-284) vulnerability in Donglight Bookstore. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13210 is a vulnerability in the donglight bookstore电商书城系统说明 version 1.0, classified as critical despite a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L). It affects the uploadPicture function in the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController.java, where manipulation of the pictureFile argument enables unrestricted file upload. The issue is linked to CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

The vulnerability is remotely exploitable over the network with low attack complexity but requires high privileges (PR:H), such as administrative access. An attacker could upload arbitrary files, potentially leading to low-level impacts on confidentiality, integrity, and availability, depending on the uploaded content and server configuration.

Details on the vulnerability, including the disclosed exploit, are available in GitHub issues at https://github.com/donglight/bookstore/issues/10 and https://github.com/donglight/bookstore/issues/10#issue-2760923048, as well as VulDB entries like https://vuldb.com/?id.290815. No specific patch or mitigation steps are outlined in the initial disclosure.

The exploit has been publicly disclosed and may be used by attackers. The CVE was published on 2025-01-09.

EU & UK References

Vulnerability details

A vulnerability was found in donglight bookstore电商书城系统说明 1.0. It has been declared as critical. Affected by this vulnerability is the function uploadPicture of the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java. The manipulation of the argument pictureFile leads to unrestricted upload. The attack can…

more

be launched remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in web application directly enables deployment of web shell via arbitrary file upload to server software component.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13195Same product: Donglight Bookstore
CVE-2025-7210Shared CWE-284, CWE-434
CVE-2024-13201Shared CWE-284, CWE-434
CVE-2026-1813Shared CWE-284, CWE-434
CVE-2024-13144Shared CWE-284, CWE-434
CVE-2025-8255Shared CWE-284, CWE-434
CVE-2024-13212Shared CWE-284, CWE-434
CVE-2025-2219Shared CWE-284, CWE-434
CVE-2025-7413Shared CWE-284, CWE-434
CVE-2025-0341Shared CWE-284, CWE-434

Affected Assets

donglight
bookstore
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the pictureFile input in uploadPicture to prevent unrestricted upload of dangerous files.

prevent

Mandates timely remediation of the specific flaw in AdminBookController enabling unrestricted file uploads.

prevent

Enforces access control policies to restrict the uploadPicture function against improper access as per CWE-284.

References