Cyber Resilience

CVE-2024-53496

CriticalPublic PoC

Published: 22 August 2025

Published
22 August 2025
Modified
12 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53496 is a critical-severity Improper Access Control (CWE-284) vulnerability in Winterchens My-Site. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-53496 is an incorrect access control vulnerability in the doFilter function of my-site version 1.0.2.RELEASE. This flaw allows attackers to bypass authentication and access sensitive components. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and is associated with CWE-284 (Improper Access Control). It was published on 2025-08-22.

Remote attackers require no privileges or user interaction to exploit this over the network with low complexity. Successful exploitation grants high-impact access to sensitive components without authentication, potentially enabling full compromise of confidentiality, integrity, and availability.

Advisories and additional details are available in the referenced sources, including https://gitee.com/fushuling/cve/blob/master/CVE-2024-53496.md and https://github.com/5kywa1ker/mall/issues/19.

EU & UK References

Vulnerability details

Incorrect access control in the doFilter function of my-site v1.0.2.RELEASE allows attackers to access sensitive components without authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1087.001 Local Account Discovery
Adversaries may attempt to get a listing of local system accounts.
Why these techniques?

Vulnerability allows unauthenticated bypass of web authorization filter via URL manipulation (e.g., appending ';'), enabling exploitation of public-facing application (T1190) and access to sensitive endpoints like admin user lists for local account discovery (T1087.001).

CVEs Like This One

CVE-2025-50904Same product: Winterchens My-Site
CVE-2025-8838Same product: Winterchens My-Site
CVE-2025-64066Shared CWE-284
CVE-2026-39339Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284
CVE-2026-34291Shared CWE-284
CVE-2023-47539Shared CWE-284
CVE-2026-23899Shared CWE-284
CVE-2025-7016Shared CWE-284

Affected Assets

winterchens
my-site
2024-08-27

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to information and system resources, directly preventing unauthenticated attackers from bypassing the flawed doFilter function to reach sensitive components.

prevent

Requires timely identification, reporting, and correction of the specific access control flaw in my-site v1.0.2.RELEASE to eliminate the vulnerability.

prevent

Employs least privilege to restrict access to only what is necessary, limiting the impact of any successful authentication bypass on sensitive components.

References