CVE-2024-13210
Published: 09 January 2025
Summary
CVE-2024-13210 is a medium-severity Improper Access Control (CWE-284) vulnerability in Donglight Bookstore. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-13210 is a vulnerability in the donglight bookstore电商书城系统说明 version 1.0, classified as critical despite a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L). It affects the uploadPicture function in the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController.java, where manipulation of the pictureFile argument enables unrestricted file upload. The issue is linked to CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
The vulnerability is remotely exploitable over the network with low attack complexity but requires high privileges (PR:H), such as administrative access. An attacker could upload arbitrary files, potentially leading to low-level impacts on confidentiality, integrity, and availability, depending on the uploaded content and server configuration.
Details on the vulnerability, including the disclosed exploit, are available in GitHub issues at https://github.com/donglight/bookstore/issues/10 and https://github.com/donglight/bookstore/issues/10#issue-2760923048, as well as VulDB entries like https://vuldb.com/?id.290815. No specific patch or mitigation steps are outlined in the initial disclosure.
The exploit has been publicly disclosed and may be used by attackers. The CVE was published on 2025-01-09.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51431
Vulnerability details
A vulnerability was found in donglight bookstore电商书城系统说明 1.0. It has been declared as critical. Affected by this vulnerability is the function uploadPicture of the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java. The manipulation of the argument pictureFile leads to unrestricted upload. The attack can…
more
be launched remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in web application directly enables deployment of web shell via arbitrary file upload to server software component.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the pictureFile input in uploadPicture to prevent unrestricted upload of dangerous files.
Mandates timely remediation of the specific flaw in AdminBookController enabling unrestricted file uploads.
Enforces access control policies to restrict the uploadPicture function against improper access as per CWE-284.