Unrestricted File Upload Vulnerability in ZeroWdd Studentmanager Software
CVE-2024-13133

5.3MEDIUM

Key Information:

Vendor
Zerowdd
Status
Studentmanager
Vendor
CVE Published:
5 January 2025

Badges

👾 Exploit Exists

Summary

A security vulnerability exists in the ZeroWdd Studentmanager software, specifically within the addStudent/editStudent functions in the StudentController.java file. The issue stems from the manipulation of the 'file' argument, leading to unrestricted file uploads, which could be exploited by attackers to execute arbitrary code or upload malicious files. This vulnerability allows for remote attacks, heightening the risk for organizations using this software. Public disclosure of the exploit amplifies the urgency for users to secure their installations and apply appropriate mitigations.

Affected Version(s)

studentmanager 1.0

References

https://vuldb.com/?id.290207
vdb-entrytechnical-description
https://vuldb.com/?ctiid.290207
signaturepermissions-required
https://github.com/ZeroWdd/studentmanager/issues/16
issue-tracking

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.