Login Sign Up

CVE-2024-13134

6.3 MEDIUM

📋 TL;DR

This critical vulnerability in ZeroWdd studentmanager 1.0 allows remote attackers to upload arbitrary files via the addTeacher/editTeacher functions. Attackers can exploit this to upload malicious files like webshells or malware. Anyone running the vulnerable studentmanager software is affected.

💻 Affected Systems

Products:
  • ZeroWdd studentmanager
Versions: 1.0
Operating Systems: Any OS running Java applications
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the TeacherController.java file specifically in the addTeacher/editTeacher functions.

📦 What is this software?

Studentmanager by Zerowdd

View all CVEs affecting Studentmanager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via webshell upload leading to remote code execution, data theft, and lateral movement within the network.

🟠

Likely Case

Attackers upload webshells to gain persistent access, deface websites, or deploy ransomware on the server.

🟢

If Mitigated

File uploads are blocked or properly validated, preventing malicious file execution.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit details exist.
🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly disclosed on GitHub. Attack requires access to teacher management functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch exists. Consider implementing file upload validation or replacing the software.

🔧 Temporary Workarounds

Implement file upload validation

all

Add server-side validation to restrict uploaded file types to safe extensions only.

Modify TeacherController.java to validate file extensions before saving

Disable file upload functionality

all

Temporarily disable teacher file upload features in the application.

Comment out or remove file upload code in TeacherController.java

🧯 If You Can't Patch

  • Implement WAF rules to block malicious file uploads
  • Restrict network access to the application using firewall rules

🔍 How to Verify

Check if Vulnerable:

Check if running studentmanager 1.0 and examine TeacherController.java for missing file upload validation.

Check Version:

Check application version in configuration files or about page.

Verify Fix Applied:

Test file upload functionality with malicious file extensions to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to teacher directories
  • Files with suspicious extensions (.jsp, .php, .exe) in upload directories

Network Indicators:

  • HTTP POST requests to teacher upload endpoints with unusual file types

SIEM Query:

source="web_server" AND (uri="/teacher/upload" OR uri="/teacher/add") AND file_extension IN ("jsp", "php", "exe", "war")

📊 Metadata

CVE ID: CVE-2024-13134
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-284
EPSS Score: 0.14% exploit probability (33.8th percentile)
Published: January 5, 2025
Last Updated: October 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13134, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)