CVE-2024-13212 – This critical vulnerability in SingMR HouseRent... (How to Fix)

Q: What is the severity of CVE-2024-13212?

CVE-2024-13212 has a CVSS score of 6.3 (MEDIUM). This critical vulnerability in SingMR HouseRent 1.0 allows remote attackers to upload arbitrary files without restrictions via the singleUpload/upload function. Attackers can exploit this to upload malicious files like webshells or malware. All users running HouseRent 1.0 are affected.

📋 TL;DR

This critical vulnerability in SingMR HouseRent 1.0 allows remote attackers to upload arbitrary files without restrictions via the singleUpload/upload function. Attackers can exploit this to upload malicious files like webshells or malware. All users running HouseRent 1.0 are affected.

💻 Affected Systems

Products:

SingMR HouseRent

Versions: 1.0

Operating Systems: Any OS running Java applications

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific upload function in AddHouseController.java. Any deployment using this version is vulnerable.

📦 What is this software?

Houserent by Singmr

View all CVEs affecting Houserent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via webshell upload leading to remote code execution, data theft, and lateral movement within the network.

🟠

Likely Case

Attackers upload webshells to gain persistent access, deface websites, or deploy ransomware on the server.

🟢

If Mitigated

File uploads are blocked or properly validated, preventing malicious file execution.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit details exist.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this if they have network access to the application.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly disclosed in GitHub issues. Attack requires sending specially crafted file upload requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch exists. Consider applying workarounds or replacing the software.

🔧 Temporary Workarounds

Implement File Upload Validation

all

Add server-side validation to restrict file types, check file signatures, and limit upload sizes.

Modify src/main/java/com/house/wym/controller/AddHouseController.java to add validation logic

Web Application Firewall Rules

all

Configure WAF to block malicious file upload patterns and suspicious upload requests.

Add WAF rules to detect and block unrestricted upload attempts

🧯 If You Can't Patch

Disable the vulnerable upload functionality entirely if not required
Implement network segmentation to isolate the HouseRent application from critical systems

🔍 How to Verify

Check if Vulnerable:

Test if you can upload files with dangerous extensions (.jsp, .php, .exe) via the upload endpoint without validation.

Check Version:

Check application version in configuration files or via version endpoint if available.

Verify Fix Applied:

Attempt to upload restricted file types; successful uploads should be blocked with proper error messages.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads with suspicious extensions
Multiple failed upload attempts
Uploads of unusually large files

Network Indicators:

HTTP POST requests to upload endpoints with malicious file content
Traffic patterns showing file uploads to unexpected paths

SIEM Query:

source="web_logs" AND (uri="/upload" OR uri="/singleUpload") AND (file_extension IN ("jsp", "php", "exe", "war"))

📊 Metadata

CVE ID: CVE-2024-13212

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.17% exploit probability (38.4th percentile)

Published: January 9, 2025

Last Updated: October 15, 2025

🔗 References

https://github.com/SingMR/HouseRent/issues/13 Not Applicable
https://github.com/SingMR/HouseRent/issues/13#issue-2762125363 Not Applicable
https://vuldb.com/?ctiid.290817 Permissions Required,VDB Entry
https://vuldb.com/?id.290817 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.471441 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13212, you might also want to check these: