VDB-290815 · CVE-2024-13210 · GCVE-100-290815

donglight bookstore电商书城系统说明 1.0 AdminBookController. java uploadPicture pictureFile Eskalacija privilegija

Pronađena je ranjivost klasifikovana kao Kritične u donglight bookstore电商书城系统说明 1.0. Zahvaćeno je funkcija uploadPicture u fajlu src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java. Izmena argumenta pictureFile rezultira Eskalacija privilegija. Korišćenjem CWE za opis problema dolazi se do CWE-434. Ova slabost je objavljena 01/08/2025 kao Bookstore has remote command execution #10. Izveštaj je dostupan za preuzimanje na github.com. Ova ranjivost je poznata pod oznakom CVE-2024-13210. Napad je moguće izvršiti sa udaljene lokacije. Napad zahteva pristup lokalnoj mreži. Tehnički podaci su dostupni. Поред тога, експлоит је доступан. Eksploatacija je javno objavljena i može biti iskorišćena. Trenutno je cena za eksploataciju približno USD $0-$5k u ovom momentu. Prema MITRE ATT&CK projektu, tehnika napada je T1608.002. Definisano je kao dokaz-of-koncept. Ekspoit je objavljen za preuzimanje na github.com. Kao 0-day, očekivana cena na crnom tržištu bila je oko $0-$5k. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

4 Promene · 99 Tačke podataka

Polje	Kreirali 01/08/2025 17:54	Ažurira 1/3 01/09/2025 13:53	Ažurira 2/3 01/09/2025 14:56	Ažurira 3/3 08/23/2025 04:06
software_vendor	donglight	donglight	donglight	donglight
software_name	bookstore电商书城系统说明	bookstore电商书城系统说明	bookstore电商书城系统说明	bookstore电商书城系统说明
software_version	1.0	1.0	1.0	1.0
software_file	src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java	src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java	src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java	src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java
software_function	uploadPicture	uploadPicture	uploadPicture	uploadPicture
software_argument	pictureFile	pictureFile	pictureFile	pictureFile
vulnerability_cwe	CWE-434 (Eskalacija privilegija)	CWE-434 (Eskalacija privilegija)	CWE-434 (Eskalacija privilegija)	CWE-434 (Eskalacija privilegija)
vulnerability_risk	2	2	2	2
cvss3_vuldb_av	N	N	N	N
cvss3_vuldb_ac	L	L	L	L
cvss3_vuldb_pr	H	H	H	H
cvss3_vuldb_ui	N	N	N	N
cvss3_vuldb_s	U	U	U	U
cvss3_vuldb_c	L	L	L	L
cvss3_vuldb_i	L	L	L	L
cvss3_vuldb_a	L	L	L	L
cvss3_vuldb_e	P	P	P	P
cvss3_vuldb_rc	C	C	C	C
advisory_identifier	Bookstore has remote command execution #10	Bookstore has remote command execution #10	Bookstore has remote command execution #10	Bookstore has remote command execution #10
advisory_url	https://github.com/donglight/bookstore/issues/10	https://github.com/donglight/bookstore/issues/10	https://github.com/donglight/bookstore/issues/10	https://github.com/donglight/bookstore/issues/10
exploit_availability	1	1	1	1
exploit_publicity	1	1	1	1
exploit_url	https://github.com/donglight/bookstore/issues/10#issue-2760923048	https://github.com/donglight/bookstore/issues/10#issue-2760923048	https://github.com/donglight/bookstore/issues/10#issue-2760923048	https://github.com/donglight/bookstore/issues/10#issue-2760923048
source_cve	CVE-2024-13210	CVE-2024-13210	CVE-2024-13210	CVE-2024-13210
cna_responsible	VulDB	VulDB	VulDB	VulDB
cvss2_vuldb_av	N	N	N	N
cvss2_vuldb_ac	L	L	L	L
cvss2_vuldb_au	M	M	M	M
cvss2_vuldb_ci	P	P	P	P
cvss2_vuldb_ii	P	P	P	P
cvss2_vuldb_ai	P	P	P	P
cvss2_vuldb_e	POC	POC	POC	POC
cvss2_vuldb_rc	C	C	C	C
cvss4_vuldb_av	N	N	N	N
cvss4_vuldb_ac	L	L	L	L
cvss4_vuldb_pr	H	H	H	H
cvss4_vuldb_ui	N	N	N	N
cvss4_vuldb_vc	L	L	L	L
cvss4_vuldb_vi	L	L	L	L
cvss4_vuldb_va	L	L	L	L
cvss4_vuldb_e	P	P	P	P
cvss2_vuldb_rl	ND	ND	ND	ND
cvss3_vuldb_rl	X	X	X	X
cvss4_vuldb_at	N	N	N	N
cvss4_vuldb_sc	N	N	N	N
cvss4_vuldb_si	N	N	N	N
cvss4_vuldb_sa	N	N	N	N
cvss2_vuldb_basescore	5.8	5.8	5.8	5.8
cvss2_vuldb_tempscore	5.2	5.2	5.2	5.2
cvss3_vuldb_basescore	4.7	4.7	4.7	4.7
cvss3_vuldb_tempscore	4.5	4.5	4.5	4.5
cvss3_meta_basescore	4.7	4.7	4.7	5.5
cvss3_meta_tempscore	4.5	4.6	4.6	5.5
cvss4_vuldb_bscore	5.1	5.1	5.1	5.1
cvss4_vuldb_btscore	2.0	2.0	2.0	2.0
advisory_date	1736290800 (01/08/2025)	1736290800 (01/08/2025)	1736290800 (01/08/2025)	1736290800 (01/08/2025)
price_0day	$0-$5k	$0-$5k	$0-$5k	$0-$5k
cve_nvd_summary		A vulnerability was found in donglight bookstore电商书城系统说明 1.0. It has been declared as critical. Affected by this vulnerability is the function uploadPicture of the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java. The manipulation of the argument pictureFile leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.	A vulnerability was found in donglight bookstore电商书城系统说明 1.0. It has been declared as critical. Affected by this vulnerability is the function uploadPicture of the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java. The manipulation of the argument pictureFile leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.	A vulnerability was found in donglight bookstore电商书城系统说明 1.0. It has been declared as critical. Affected by this vulnerability is the function uploadPicture of the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java. The manipulation of the argument pictureFile leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
cvss4_cna_av		N	N	N
cvss4_cna_ac		L	L	L
cvss4_cna_at		N	N	N
cvss4_cna_pr		H	H	H
cvss4_cna_ui		N	N	N
cvss4_cna_vc		L	L	L
cvss4_cna_vi		L	L	L
cvss4_cna_va		L	L	L
cvss4_cna_sc		N	N	N
cvss4_cna_si		N	N	N
cvss4_cna_sa		N	N	N
cvss4_cna_bscore		5.1	5.1	5.1
cvss3_cna_av		N	N	N
cvss3_cna_ac		L	L	L
cvss3_cna_pr		H	H	H
cvss3_cna_ui		N	N	N
cvss3_cna_s		U	U	U
cvss3_cna_c		L	L	L
cvss3_cna_i		L	L	L
cvss3_cna_a		L	L	L
cvss3_cna_basescore		4.7	4.7	4.7
cvss2_cna_av		N	N	N
cvss2_cna_ac		L	L	L
cvss2_cna_au		M	M	M
cvss2_cna_ci		P	P	P
cvss2_cna_ii		P	P	P
cvss2_cna_ai		P	P	P
cvss2_cna_basescore		5.8	5.8	5.8
cve_nvd_summaryes			Se ha encontrado una vulnerabilidad en donglight bookstore???????? 1.0. Se ha declarado como crítica. Esta vulnerabilidad afecta a la función uploadPicture del archivo src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController.java. La manipulación del argumento pictureFile permite cargar imágenes sin restricciones. El ataque se puede ejecutar de forma remota. El exploit se ha hecho público y puede utilizarse.	Se ha encontrado una vulnerabilidad en donglight bookstore???????? 1.0. Se ha declarado como crítica. Esta vulnerabilidad afecta a la función uploadPicture del archivo src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController.java. La manipulación del argumento pictureFile permite cargar imágenes sin restricciones. El ataque se puede ejecutar de forma remota. El exploit se ha hecho público y puede utilizarse.
cvss3_nvd_av				N
cvss3_nvd_ac				L
cvss3_nvd_pr				H
cvss3_nvd_ui				N
cvss3_nvd_s				U
cvss3_nvd_c				H
cvss3_nvd_i				H
cvss3_nvd_a				H
cvss3_nvd_basescore				7.2

◂ Prethodne Pregled Sledeжi ▸

Interested in the pricing of exploits?

See the underground prices here!