CVE-2024-13110 in Yunfan Learning Examination Systeminfo

Summary

by MITRE • 01/02/2025

A vulnerability classified as problematic has been found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Affected is an unknown function of the file src/main/java/com/yf/exam/modules/paper/controller/PaperController.java, of the component Exam Answer Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 08/26/2025

This vulnerability resides within the Yunfan Learning Examination System version 1.9.2 developed by Beijing Yunfan Internet Technology, specifically targeting the Exam Answer Handler component. The affected file src/main/java/com/yf/exam/modules/paper/controller/PaperController.java contains a flaw that enables unauthorized information disclosure through remote exploitation. The vulnerability represents a critical security weakness that allows attackers to access sensitive examination data without proper authentication or authorization. The exposure occurs through an unknown function within the paper controller component, making it particularly concerning as the exact nature of the vulnerable code path remains unspecified in the public disclosure.

The technical implementation of this vulnerability stems from inadequate input validation and access control mechanisms within the examination system's answer handling functionality. When processing examination responses or related data through the PaperController.java file, the system fails to properly validate user inputs or enforce appropriate authorization checks. This weakness creates an information disclosure pathway that can be exploited remotely, allowing malicious actors to retrieve examination papers, student responses, or other confidential academic data. The vulnerability's classification as problematic indicates it has been recognized by security researchers as a legitimate threat that requires immediate attention and remediation.

The operational impact of this vulnerability extends beyond simple data exposure, potentially compromising the integrity and confidentiality of entire examination processes within educational institutions using this software. Remote exploitation means that attackers can access sensitive academic information from anywhere on the internet without requiring physical access to the system infrastructure. This poses significant risks to student privacy, examination security, and institutional data protection. The disclosure of examination papers, answer keys, or student performance data could lead to academic dishonesty, privacy violations, and potential legal consequences for the educational institutions involved. The vulnerability affects the core functionality of the examination system and undermines trust in the digital assessment platform.

Security mitigation strategies should focus on implementing comprehensive input validation, strengthening access controls, and conducting thorough code reviews of the affected component. Organizations should immediately update to patched versions of the Yunfan Learning Examination System if available, while implementing network segmentation to limit access to examination systems. The implementation of proper authentication mechanisms, session management, and data encryption should be prioritized to prevent unauthorized access. Additionally, regular security audits and penetration testing should be conducted to identify similar vulnerabilities within the system architecture. This vulnerability aligns with CWE-20 (Improper Input Validation) and CWE-501 (Trust Boundary Violation) categories, and represents a technique commonly associated with information disclosure attacks in the MITRE ATT&CK framework under the T1005 (Data from Local System) and T1071.004 (Application Layer Protocol: DNS) tactics. Organizations should also consider implementing network monitoring solutions to detect suspicious access patterns and ensure compliance with data protection regulations such as GDPR or local privacy laws.

Responsible

VulDB

Disclosure

01/02/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00605

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!