CVE-2024-42900
📋 TL;DR
This cross-site scripting (XSS) vulnerability in Ruoyi's code generation tool allows attackers to inject malicious scripts via the sql parameter. When exploited, it enables session hijacking, credential theft, or defacement of the administrative interface. Systems running Ruoyi v4.7.9 and earlier versions with the code generation module enabled are affected.
💻 Affected Systems
- Ruoyi (RuoYi)
📦 What is this software?
Ruoyi by Ruoyi
⚠️ Risk & Real-World Impact
Worst Case
Complete administrative account takeover leading to full system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Session hijacking of administrative users, credential theft, or defacement of the code generation interface.
If Mitigated
Limited to interface manipulation with proper input validation and output encoding in place.
🎯 Exploit Status
Exploitation requires authenticated access to the code generation interface. The vulnerability is in the createTable() function where user-controlled SQL parameter is not properly sanitized before being reflected in the response.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.7.10 or later
Vendor Advisory: https://gitee.com/y_project/RuoYi
Restart Required: Yes
Instructions:
1. Download Ruoyi v4.7.10 or later from the official repository. 2. Backup your current installation and database. 3. Replace the affected files with the patched version. 4. Restart the application server. 5. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the sql parameter before processing
Add input validation in the createTable() function to filter or escape special characters
Access Restriction
allRestrict access to the /tool/gen endpoint to only trusted administrative users
Configure web server or application firewall to restrict /tool/gen/* paths
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads
- Disable the code generation module entirely if not required for business operations
🔍 How to Verify
Check if Vulnerable:
Access the code generation interface at /tool/gen/create and attempt to inject a simple XSS payload like <script>alert('test')</script> in the sql parameter. If the script executes, the system is vulnerable.Check Version:
Check the version in the Ruoyi admin interface or examine the project's pom.xml file for version informationVerify Fix Applied:
After patching, repeat the same test with XSS payloads. The application should properly encode or reject the malicious input without executing scripts.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /tool/gen/create with script tags or JavaScript in parameters
- Multiple failed authentication attempts followed by access to code generation module
Network Indicators:
- HTTP requests containing <script> tags or JavaScript functions in URL parameters or POST data to the vulnerable endpoint
SIEM Query:
source="web_logs" AND (url="/tool/gen/create" AND (param="sql" AND value CONTAINS "<script>" OR value CONTAINS "javascript:"))