CVE-2024-13133 – This critical vulnerability in ZeroWdd studentm... (How to Fix)

Q: What is the severity of CVE-2024-13133?

CVE-2024-13133 has a CVSS score of 6.3 (MEDIUM). This critical vulnerability in ZeroWdd studentmanager 1.0 allows attackers to upload arbitrary files without restrictions through the addStudent/editStudent functions. Remote attackers can exploit this to potentially execute malicious code or compromise the system. All deployments of studentmanager 1.0 are affected.

📋 TL;DR

This critical vulnerability in ZeroWdd studentmanager 1.0 allows attackers to upload arbitrary files without restrictions through the addStudent/editStudent functions. Remote attackers can exploit this to potentially execute malicious code or compromise the system. All deployments of studentmanager 1.0 are affected.

💻 Affected Systems

Products:

ZeroWdd studentmanager

Versions: 1.0

Operating Systems: Any OS running Java

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable by default

📦 What is this software?

Studentmanager by Zerowdd

View all CVEs affecting Studentmanager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Webshell upload enabling persistent access, data exfiltration, or lateral movement

🟢

If Mitigated

File upload attempts blocked or quarantined with no successful exploitation

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication

🏢 Internal Only: HIGH - Internal attackers can also exploit this vulnerability

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly disclosed in GitHub issues, making exploitation straightforward

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider workarounds or migrating to alternative software.

🔧 Temporary Workarounds

File Upload Restriction

all

Implement strict file type validation and size limits on upload endpoints

Web Application Firewall Rules

all

Deploy WAF rules to block malicious file upload patterns

🧯 If You Can't Patch

Isolate the studentmanager application in a restricted network segment
Implement strict file system permissions and disable execution in upload directories

🔍 How to Verify

Check if Vulnerable:

Check if running studentmanager 1.0 and test file upload functionality with malicious extensions

Check Version:

Check application version in configuration files or about page

Verify Fix Applied:

Test that file uploads with dangerous extensions (like .jsp, .php, .exe) are rejected

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads, especially with executable extensions
Large file uploads to student endpoints

Network Indicators:

POST requests to /addStudent or /editStudent with file uploads

SIEM Query:

source="web_logs" AND (uri="/addStudent" OR uri="/editStudent") AND method="POST" AND file_upload="true"

📊 Metadata

CVE ID: CVE-2024-13133

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.07% exploit probability (22.3th percentile)

Published: January 5, 2025

Last Updated: October 10, 2025

🔗 References

https://github.com/ZeroWdd/studentmanager/issues/16 Not Applicable
https://github.com/ZeroWdd/studentmanager/issues/16#issue-2755347097 Not Applicable
https://vuldb.com/?ctiid.290207 Permissions Required,VDB Entry
https://vuldb.com/?id.290207 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13133, you might also want to check these: