An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobId parameter
An attacker can send a crafted network request containing a manipulated jobId parameter value. Insufficient access control (CWE-284) causes the application to fail to properly verify permissions for operations related to this parameter. As a result, an unauthorized remote user is able to obtain a higher level of privileges in the system.
An attacker can take control of the application or system by obtaining elevated privileges, which threatens the confidentiality, integrity, and availability of data and system resources.
Apply patches available from the vendor according to the references. It is recommended to monitor the official RuoYi project repository at https://github.com/yangzongzhuan/RuoYi for current information about patches.
RuoYi v.4.8.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRuoyi
APPRuoyi4.8.0
Related vulnerabilities
RuoYi v4.8.2 — nieprawidłowa kontrola dostępu w funkcji aktualizacji
SQL Injection (RCE) w RuoYi v.4.7.9 i wcześniejszych — funkcja createTable
Eskalacja uprawnień w RuoYi v.4.8.0 poprzez parametr jobLogId
RuoYi 4.8.0 – privilege escalation przez metodę changeStatus
RuoYi 4.8.0 — privilege escalation przez brak walidacji parametru deptId