Ruoyi
by Ruoyi
Source repositories
CVEs (49)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-28405 | 0.00 | — | 0.01 | Apr 7, 2025 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the changeStatus method | |||
| CVE-2025-28402 | 0.00 | — | 0.01 | Apr 7, 2025 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobId parameter | |||
| CVE-2025-28413 | 0.00 | — | 0.01 | Apr 7, 2025 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the SysDictTypeController component | |||
| CVE-2025-28406 | 0.00 | — | 0.01 | Apr 7, 2025 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobLogId parameter | |||
| CVE-2025-28401 | 0.00 | — | 0.00 | Apr 7, 2025 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the menuId parameter | |||
| CVE-2025-28407 | 0.00 | — | 0.01 | Apr 7, 2025 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the edit method of the /edit/{dictId} endpoint does not properly validate whether the requesting user has permission to modify the specified dictId | |||
| CVE-2025-28410 | 0.00 | — | 0.01 | Apr 7, 2025 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the cancelAuthUserAll method does not properly validate whether the requesting user has administrative privileges | |||
| CVE-2025-28412 | 0.00 | — | 0.01 | Apr 7, 2025 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the /editSave method in SysNoticeController | |||
| CVE-2025-28408 | 0.00 | — | 0.01 | Apr 7, 2025 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the selectDeptTree method of the /selectDeptTree/{deptId} endpoint does not properly validate the deptId parameter | |||
| CVE-2025-28411 | 0.00 | — | 0.01 | Apr 7, 2025 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the editSave method in /tool/gen/editSave | |||
| CVE-2025-28409 | 0.00 | — | 0.01 | Apr 7, 2025 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the add method of the /add/{parentId} endpoint does not properly validate whether the requesting user has permission to add a menu item under the specified parentId | |||
| CVE-2025-28403 | 0.00 | — | 0.01 | Apr 7, 2025 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the editSave method does not properly validate whether the requesting user has administrative privileges before allowing modifications to system configuration settings | |||
| CVE-2024-57439 | 0.00 | — | 0.01 | Jan 29, 2025 | An issue in the reset password interface of ruoyi v4.8.0 allows attackers with Admin privileges to cause a Denial of Service (DoS) by duplicating the login name of the account. | |||
| CVE-2024-57437 | 0.00 | — | 0.00 | Jan 29, 2025 | RuoYi v4.8.0 was discovered to contain a SQL injection vulnerability via the orderby parameter at /monitor/online/list. | |||
| CVE-2024-57436 | 0.00 | — | 0.01 | Jan 29, 2025 | RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie. | |||
| CVE-2024-57438 | 0.00 | — | 0.00 | Jan 29, 2025 | Insecure permissions in RuoYi v4.8.0 allows authenticated attackers to escalate privileges by assigning themselves higher level roles. | |||
| CVE-2024-54762 | 0.00 | — | 0.00 | Jan 9, 2025 | Ruoyi v.4.7.9 and before contains an authenticated SQL injection vulnerability. This is because the filterKeyword method does not completely filter SQL injection keywords, resulting in the risk of SQL injection. | |||
| CVE-2024-46076 | 0.00 | — | 0.00 | Oct 7, 2024 | RuoYi v4.7.9 and before has a security flaw that allows escaping from comments within the code generation feature, enabling the injection of malicious code. | |||
| CVE-2024-42900 | 0.00 | — | 0.00 | Aug 28, 2024 | Ruoyi v4.7.9 and before was discovered to contain a cross-site scripting (XSS) vulnerability via the sql parameter of the createTable() function at /tool/gen/create. | |||
| CVE-2024-42913 | 0.00 | — | 0.00 | Aug 26, 2024 | RuoYi CMS v4.7.9 was discovered to contain a SQL injection vulnerability via the job_id parameter at /sasfs1. |
- CVE-2025-28405Apr 7, 2025risk 0.00cvss —epss 0.01
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the changeStatus method
- CVE-2025-28402Apr 7, 2025risk 0.00cvss —epss 0.01
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobId parameter
- CVE-2025-28413Apr 7, 2025risk 0.00cvss —epss 0.01
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the SysDictTypeController component
- CVE-2025-28406Apr 7, 2025risk 0.00cvss —epss 0.01
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobLogId parameter
- CVE-2025-28401Apr 7, 2025risk 0.00cvss —epss 0.00
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the menuId parameter
- CVE-2025-28407Apr 7, 2025risk 0.00cvss —epss 0.01
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the edit method of the /edit/{dictId} endpoint does not properly validate whether the requesting user has permission to modify the specified dictId
- CVE-2025-28410Apr 7, 2025risk 0.00cvss —epss 0.01
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the cancelAuthUserAll method does not properly validate whether the requesting user has administrative privileges
- CVE-2025-28412Apr 7, 2025risk 0.00cvss —epss 0.01
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the /editSave method in SysNoticeController
- CVE-2025-28408Apr 7, 2025risk 0.00cvss —epss 0.01
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the selectDeptTree method of the /selectDeptTree/{deptId} endpoint does not properly validate the deptId parameter
- CVE-2025-28411Apr 7, 2025risk 0.00cvss —epss 0.01
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the editSave method in /tool/gen/editSave
- CVE-2025-28409Apr 7, 2025risk 0.00cvss —epss 0.01
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the add method of the /add/{parentId} endpoint does not properly validate whether the requesting user has permission to add a menu item under the specified parentId
- CVE-2025-28403Apr 7, 2025risk 0.00cvss —epss 0.01
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the editSave method does not properly validate whether the requesting user has administrative privileges before allowing modifications to system configuration settings
- CVE-2024-57439Jan 29, 2025risk 0.00cvss —epss 0.01
An issue in the reset password interface of ruoyi v4.8.0 allows attackers with Admin privileges to cause a Denial of Service (DoS) by duplicating the login name of the account.
- CVE-2024-57437Jan 29, 2025risk 0.00cvss —epss 0.00
RuoYi v4.8.0 was discovered to contain a SQL injection vulnerability via the orderby parameter at /monitor/online/list.
- CVE-2024-57436Jan 29, 2025risk 0.00cvss —epss 0.01
RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie.
- CVE-2024-57438Jan 29, 2025risk 0.00cvss —epss 0.00
Insecure permissions in RuoYi v4.8.0 allows authenticated attackers to escalate privileges by assigning themselves higher level roles.
- CVE-2024-54762Jan 9, 2025risk 0.00cvss —epss 0.00
Ruoyi v.4.7.9 and before contains an authenticated SQL injection vulnerability. This is because the filterKeyword method does not completely filter SQL injection keywords, resulting in the risk of SQL injection.
- CVE-2024-46076Oct 7, 2024risk 0.00cvss —epss 0.00
RuoYi v4.7.9 and before has a security flaw that allows escaping from comments within the code generation feature, enabling the injection of malicious code.
- CVE-2024-42900Aug 28, 2024risk 0.00cvss —epss 0.00
Ruoyi v4.7.9 and before was discovered to contain a cross-site scripting (XSS) vulnerability via the sql parameter of the createTable() function at /tool/gen/create.
- CVE-2024-42913Aug 26, 2024risk 0.00cvss —epss 0.00
RuoYi CMS v4.7.9 was discovered to contain a SQL injection vulnerability via the job_id parameter at /sasfs1.
Page 2 of 3