Cyber Resilience

CVE-2024-13211

Medium

Published: 09 January 2025

Published
09 January 2025
Modified
15 October 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0010 27.3th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13211 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Singmr Houserent. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-13211 is a critical vulnerability in SingMR HouseRent version 1.0, affecting an unknown functionality within the file src/main/java/com/house/wym/controller/AdminController.java. The issue stems from improper access controls (CWE-266 and CWE-284), enabling unauthorized manipulation. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-09.

A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized access or modifications due to the flawed access controls in the AdminController.

Advisories reference a GitHub issue (https://github.com/SingMR/HouseRent/issues/12) disclosing the vulnerability, along with VulDB entries (https://vuldb.com/?ctiid.290816, https://vuldb.com/?id.290816). No specific patches or mitigation steps are detailed in the provided references, but practitioners should review the GitHub issue for updates.

The exploit has been publicly disclosed and may be usable by attackers.

EU & UK References

Vulnerability details

A vulnerability was found in SingMR HouseRent 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file src/main/java/com/house/wym/controller/AdminController.java. The manipulation leads to improper access controls. The attack may be launched remotely. The…

more

exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Broken access control in public-facing web app AdminController directly enables remote exploitation (T1190) and privilege escalation via unauthorized manipulation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13212Same product: Singmr Houserent
CVE-2026-2075Shared CWE-266, CWE-284
CVE-2024-13200Shared CWE-266, CWE-284
CVE-2026-9517Shared CWE-266, CWE-284
CVE-2025-2334Shared CWE-266, CWE-284
CVE-2025-2548Shared CWE-266, CWE-284
CVE-2025-29315Shared CWE-284
CVE-2025-55261Shared CWE-284
CVE-2026-21636Shared CWE-284
CVE-2026-4194Shared CWE-266, CWE-284

Affected Assets

singmr
houserent
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information and system resources, directly mitigating the improper access controls in AdminController.java that enable unauthorized remote manipulation.

prevent

Employs least privilege to ensure only necessary accesses are granted to low-privilege users, preventing exploitation of the flawed access controls by PR:L attackers.

prevent

Authorizes access to system resources based on defined personnel or roles, addressing the vulnerability's allowance of unauthorized actions in the AdminController.

References