CVE-2024-13110 – This vulnerability in Beijing Yunfan Internet T... (How to Fix)

Q: What is the severity of CVE-2024-13110?

CVE-2024-13110 has a CVSS score of 4.3 (MEDIUM). This vulnerability in Beijing Yunfan Internet Technology's Yunfan Learning Examination System 1.9.2 allows remote attackers to access sensitive information through the Exam Answer Handler component. The information disclosure vulnerability affects systems running the vulnerable version of the software, potentially exposing exam data or system information.

📋 TL;DR

This vulnerability in Beijing Yunfan Internet Technology's Yunfan Learning Examination System 1.9.2 allows remote attackers to access sensitive information through the Exam Answer Handler component. The information disclosure vulnerability affects systems running the vulnerable version of the software, potentially exposing exam data or system information.

💻 Affected Systems

Products:

Beijing Yunfan Internet Technology Yunfan Learning Examination System

Versions: 1.9.2

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the PaperController.java file's Exam Answer Handler component. All deployments of version 1.9.2 are affected.

📦 What is this software?

Yunfan Learning Examination System by Kaoshifeng

View all CVEs affecting Yunfan Learning Examination System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive exam answers, student data, or system configuration information, potentially leading to academic integrity breaches or further system compromise.

🟠

Likely Case

Unauthorized access to exam-related information or system metadata that could be used for reconnaissance or planning additional attacks.

🟢

If Mitigated

Limited exposure of non-critical system information with proper access controls and network segmentation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit has been publicly disclosed on GitHub and can be launched remotely without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Monitor vendor channels for updates. Consider upgrading to a newer version if available.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to the examination system to trusted IP addresses only

Use firewall rules to limit access: iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP

Application Firewall Rules

all

Implement WAF rules to block suspicious requests to the PaperController endpoint

Add WAF rule: deny requests containing suspicious patterns to /paper/* endpoints

🧯 If You Can't Patch

Implement strict network segmentation to isolate the examination system from untrusted networks
Enable detailed logging and monitoring for suspicious access patterns to PaperController endpoints

🔍 How to Verify

Check if Vulnerable:

Check if running Yunfan Learning Examination System version 1.9.2. Review application logs for unauthorized access to PaperController endpoints.

Check Version:

Check application configuration files or admin panel for version information

Verify Fix Applied:

Test if information disclosure no longer occurs when accessing PaperController endpoints. Verify system is upgraded to a newer version.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to /paper/* endpoints
Requests to PaperController.java functions from unexpected sources
Information disclosure in response logs

Network Indicators:

Unusual traffic to examination system ports from external IPs
Patterns of reconnaissance activity

SIEM Query:

source="web_logs" AND (uri="/paper/*" OR uri="/PaperController") AND (status=200 OR status=500) AND src_ip NOT IN [trusted_ips]

📊 Metadata

CVE ID: CVE-2024-13110

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.2% exploit probability (41.7th percentile)

Published: January 2, 2025

Last Updated: August 25, 2025

🔗 References

https://github.com/qiutiandefeng/yfexam-exam/issues/5 Exploit,Issue Tracking
https://github.com/qiutiandefeng/yfexam-exam/issues/5#issue-2754675223 Exploit,Issue Tracking
https://vuldb.com/?ctiid.289926 Permissions Required,VDB Entry
https://vuldb.com/?id.289926 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.467700 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13110, you might also want to check these: