CVE-2024-13144 Overview
CVE-2024-13144 is an unrestricted file upload vulnerability in zhenfeng13 My-Blog 1.0, an open-source Java-based blogging platform. The flaw resides in the uploadFileByEditomd function within src/main/java/com/site/blog/my/core/controller/admin/BlogController.java. Attackers can manipulate the editormd-image-file parameter to upload arbitrary files to the server. The vulnerability is exploitable remotely over the network and requires only low-level privileges. Public disclosure of the exploit increases the risk of opportunistic abuse against exposed deployments. The issue maps to [CWE-434] Unrestricted Upload of File with Dangerous Type and [CWE-284] Improper Access Control.
Critical Impact
Authenticated remote attackers can upload arbitrary files through the editor image upload endpoint, potentially enabling webshell deployment and follow-on compromise of the host application.
Affected Products
- zhenfeng13 My-Blog 1.0
- Component: BlogController.java (admin controller)
- Function: uploadFileByEditomd
Discovery Timeline
- 2025-01-06 - CVE-2024-13144 published to NVD
- 2025-08-22 - Last updated in NVD database
Technical Details for CVE-2024-13144
Vulnerability Analysis
The vulnerability exists in the editor markdown image upload handler exposed by the admin blog controller. The uploadFileByEditomd method accepts file uploads through the editormd-image-file multipart parameter without enforcing file type, extension, or content validation. An attacker with access to the upload endpoint can submit a file containing executable server-side code, such as a JSP file, in place of an expected image. The platform stores the uploaded file in a web-accessible directory, allowing the attacker to request the file and trigger its execution within the application context.
EPSS data places exploitation likelihood at 0.075% with a percentile of 22.485, reflecting limited observed exploitation against this niche application. However, the public availability of exploit details elevates the practical risk for any internet-exposed deployment.
Root Cause
The root cause is missing validation logic in the upload handler. The implementation does not enforce an allowlist of permitted MIME types or file extensions, does not inspect file magic bytes, and does not rename uploaded files to non-executable names. Combined with weak access control on the upload route, these omissions allow any low-privilege user with editor access to write arbitrary content to the server filesystem.
Attack Vector
Exploitation is performed remotely over HTTP. An attacker authenticates to the application, locates the markdown editor upload endpoint, and submits a crafted multipart POST request with editormd-image-file containing a malicious payload. After successful upload, the attacker requests the file via its web-accessible path to execute the payload. Refer to the GitHub Issue Discussion and VulDB #290232 for additional technical context.
Detection Methods for CVE-2024-13144
Indicators of Compromise
- Unexpected files with executable extensions such as .jsp, .jspx, or .war in the My-Blog upload directories
- HTTP POST requests to admin endpoints containing the editormd-image-file parameter with non-image content types
- New or modified files in the application's static resource paths outside normal publishing workflows
- Outbound network connections originating from the application's Java process to unfamiliar hosts
Detection Strategies
- Monitor multipart upload requests to admin controllers and inspect the declared Content-Type against the actual file signature
- Alert on file writes to web-accessible directories that produce executable file types
- Correlate authenticated admin sessions with upload activity outside expected business hours or from unusual source IPs
Monitoring Recommendations
- Enable detailed access logging on the application server and forward logs to a centralized analytics platform
- Apply file integrity monitoring to upload directories used by editormd
- Track process execution chains spawned by the Java application to identify post-exploitation behavior such as shell invocation or reconnaissance commands
How to Mitigate CVE-2024-13144
Immediate Actions Required
- Restrict network access to the /admin interface using firewall rules, VPN, or IP allowlists until a fix is applied
- Audit the upload directory for any files with executable extensions and remove unauthorized content
- Rotate credentials for any administrative accounts that may have been exposed
- Review application and access logs for prior exploitation attempts targeting uploadFileByEditomd
Patch Information
As of publication, no official vendor patch has been released for zhenfeng13 My-Blog 1.0. Track the GitHub Issue Discussion for fix availability. Operators should plan to apply the upstream patch as soon as it is published, or fork the project and implement validation locally.
Workarounds
- Modify uploadFileByEditomd to enforce an allowlist of image MIME types and extensions such as .png, .jpg, .jpeg, and .gif
- Validate file magic bytes server-side rather than trusting client-supplied Content-Type headers
- Store uploads outside the web root or configure the web server to deny execution of files in the upload directory
- Rename uploaded files to randomized identifiers without preserving the original extension
# Example nginx configuration to deny script execution in the upload directory
location ~ ^/upload/.*\.(jsp|jspx|war|sh|php)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
