Login Sign Up

CVE-2013-5654

9.1 CRITICAL

📋 TL;DR

CVE-2013-5654 is a critical vulnerability in YingZhi Python Programming Language v1.9 for iOS that allows unauthenticated attackers to upload arbitrary files to the device's storage. This affects all users of the vulnerable app version on iOS devices. The vulnerability stems from improper access control (CWE-284).

💻 Affected Systems

Products:
  • YingZhi Python Programming Language
Versions: v1.9
Operating Systems: iOS
Default Config Vulnerable: ⚠️ Yes
Notes: This is a mobile application vulnerability affecting iOS devices running the vulnerable app version.

📦 What is this software?

Yingzhipython by Yingzhipython Project

View all CVEs affecting Yingzhipython →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could upload malicious files, execute arbitrary code, steal sensitive data, or completely compromise the device.

🟠

Likely Case

Attackers upload malicious files to storage, potentially leading to data theft, malware installation, or device compromise.

🟢

If Mitigated

With proper access controls, only authorized uploads would be allowed, preventing unauthorized file storage.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability allows anonymous uploads without authentication, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.0 or later

Vendor Advisory: http://www.vapidlabs.com/advisory.php?v=94

Restart Required: Yes

Instructions:

1. Open the App Store on your iOS device. 2. Search for 'YingZhi Python Programming Language'. 3. If an update is available, tap 'Update'. 4. After updating, restart the app.

🔧 Temporary Workarounds

Uninstall vulnerable app

ios

Remove the vulnerable application from the device to eliminate the attack surface.

Long press app icon > Remove App > Delete App

Disable app network access

ios

Prevent the app from accessing network resources to block remote exploitation.

Settings > Privacy & Security > App Privacy Report > Find app > Disable network access

🧯 If You Can't Patch

  • Isolate affected devices from untrusted networks
  • Implement strict network monitoring for suspicious upload activities

🔍 How to Verify

Check if Vulnerable:

Check app version in iOS Settings > General > iPhone Storage > YingZhi Python Programming Language. If version is 1.9, you are vulnerable.

Check Version:

Not applicable - check via iOS Settings as described above

Verify Fix Applied:

After updating, verify app version shows 2.0 or higher in the same location.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file uploads to app storage
  • Unauthorized file creation in app directories

Network Indicators:

  • Suspicious upload traffic to app servers
  • Unusual outbound connections from the app

SIEM Query:

source="ios_logs" app="YingZhi Python" action="file_upload" user="anonymous"

📊 Metadata

CVE ID: CVE-2013-5654
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-284
Published: February 15, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2013-5654, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)