CVE-2024-13109 – This vulnerability allows unauthorized access t... (How to Fix)

Q: What is the severity of CVE-2024-13109?

CVE-2024-13109 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows unauthorized access to the /doc.html endpoint in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Attackers can remotely exploit this improper authorization flaw to access sensitive documentation or potentially other system resources. Organizations using this specific version of the examination system are affected.

📋 TL;DR

This vulnerability allows unauthorized access to the /doc.html endpoint in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Attackers can remotely exploit this improper authorization flaw to access sensitive documentation or potentially other system resources. Organizations using this specific version of the examination system are affected.

💻 Affected Systems

Products:

Beijing Yunfan Internet Technology Yunfan Learning Examination System

Versions: 1.9.2

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the /doc.html endpoint accessible. The vulnerability is in the web application itself, not dependent on specific OS.

📦 What is this software?

Yunfan Learning Examination System by Kaoshifeng

View all CVEs affecting Yunfan Learning Examination System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation or access to sensitive administrative interfaces, potentially leading to data theft, system manipulation, or further network penetration.

🟠

Likely Case

Unauthorized access to system documentation, configuration details, or internal APIs that could facilitate further attacks or information disclosure.

🟢

If Mitigated

Limited information disclosure with no direct path to critical systems or data due to proper network segmentation and access controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly disclosed on GitHub. The vulnerability requires no authentication and has simple exploitation steps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates or consider workarounds.

🔧 Temporary Workarounds

Block /doc.html endpoint

all

Use web server configuration or WAF to block access to the vulnerable endpoint

# Apache: RewriteRule ^/doc\.html$ - [F,L]
# Nginx: location = /doc.html { deny all; }
# IIS: Add request filtering rule

Network segmentation

linux

Restrict access to the examination system to authorized users only

# Firewall rule example: iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Deploy web application firewall with rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[system-ip]/doc.html without authentication. If accessible, system is vulnerable.

Check Version:

Check system documentation or web interface footer for version information

Verify Fix Applied:

After applying workarounds, verify /doc.html endpoint returns 403/404 or is inaccessible.

📡 Detection & Monitoring

Log Indicators:

Multiple 200 OK responses to /doc.html from unauthorized IPs
Unusual access patterns to documentation endpoints

Network Indicators:

HTTP GET requests to /doc.html from unexpected sources
Traffic spikes to documentation endpoints

SIEM Query:

source="web_server" AND (uri_path="/doc.html" OR uri_path="/doc") AND response_status=200

📊 Metadata

CVE ID: CVE-2024-13109

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-266

EPSS Score: 0.22% exploit probability (43.9th percentile)

Published: January 2, 2025

Last Updated: August 25, 2025

🔗 References

https://github.com/qiutiandefeng/yfexam-exam/issues/4 Exploit,Issue Tracking
https://github.com/qiutiandefeng/yfexam-exam/issues/4#issue-2754670219 Exploit,Issue Tracking
https://vuldb.com/?ctiid.289925 Permissions Required,VDB Entry
https://vuldb.com/?id.289925 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.467695 Third Party Advisory,VDB Entry
https://github.com/qiutiandefeng/yfexam-exam/issues/4 Exploit,Issue Tracking
https://github.com/qiutiandefeng/yfexam-exam/issues/4#issue-2754670219 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13109, you might also want to check these: