Cyber Posture

CVE-2024-13210

MediumPublic PoC

Published: 09 January 2025

Published
09 January 2025
Modified
22 August 2025
KEV Added
Patch
CVSS Score 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0005 16.9th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13210 is a medium-severity Improper Access Control (CWE-284) vulnerability in Donglight Bookstore. Its CVSS base score is 4.7 (Medium).

Operationally, ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of the pictureFile input in uploadPicture to prevent unrestricted upload of dangerous files.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific flaw in AdminBookController enabling unrestricted file uploads.

AC-3 Access Enforcement good match
prevent

Enforces access control policies to restrict the uploadPicture function against improper access as per CWE-284.

NVD Description

A vulnerability was found in donglight bookstore电商书城系统说明 1.0. It has been declared as critical. Affected by this vulnerability is the function uploadPicture of the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java. The manipulation of the argument pictureFile leads to unrestricted upload. The attack can…

more

be launched remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2024-13210 is a vulnerability in the donglight bookstore电商书城系统说明 version 1.0, classified as critical despite a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L). It affects the uploadPicture function in the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController.java, where manipulation of the pictureFile argument enables unrestricted file upload. The issue is linked to CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

The vulnerability is remotely exploitable over the network with low attack complexity but requires high privileges (PR:H), such as administrative access. An attacker could upload arbitrary files, potentially leading to low-level impacts on confidentiality, integrity, and availability, depending on the uploaded content and server configuration.

Details on the vulnerability, including the disclosed exploit, are available in GitHub issues at https://github.com/donglight/bookstore/issues/10 and https://github.com/donglight/bookstore/issues/10#issue-2760923048, as well as VulDB entries like https://vuldb.com/?id.290815. No specific patch or mitigation steps are outlined in the initial disclosure.

The exploit has been publicly disclosed and may be used by attackers. The CVE was published on 2025-01-09.

Details

CWE(s)
CWE-284CWE-434

Affected Products

donglight
bookstore
1.0.0

CVEs Like This One

CVE-2024-13195Same product: Donglight Bookstore
CVE-2024-13133Shared CWE-284, CWE-434
CVE-2026-7733Shared CWE-284, CWE-434
CVE-2025-1166Shared CWE-284, CWE-434
CVE-2026-2979Shared CWE-284, CWE-434
CVE-2025-7755Shared CWE-284, CWE-434
CVE-2025-7470Shared CWE-284, CWE-434
CVE-2025-2973Shared CWE-284, CWE-434
CVE-2026-3800Shared CWE-284, CWE-434
CVE-2026-4221Shared CWE-284, CWE-434

References