CVE-2022-23869

Name of the Vulnerable Software and Affected Versions RuoYi versions 4.7.2

Description The issue allows a user without permission to reset another user's password through a specific API endpoint. Specifically, user test1 does not have permission to reset the password of user test3 via the WebUI, but can do so through the "/system/user/resetPwd" API endpoint.

Recommendations For RuoYi version 4.7.2, as a temporary workaround, consider restricting access to the "/system/user/resetPwd" API endpoint to prevent unauthorized password resets. Additionally, review and adjust the permission settings to ensure that only authorized users can reset passwords. At the moment, there is no information about a newer version that contains a fix for this vulnerability.