PT-2024-39389 · Ruoyi · Ruoyi
Wang勇
·
Published
2024-09-20
·
Updated
2024-09-30
·
CVE-2024-9048
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
RuoYi versions up to 4.7.9
Description
A vulnerability was found in the function
SysUserServiceImpl of the component Backend User Import. The manipulation of the argument loginName leads to cross-site scripting. The attack can be launched remotely. The complexity of an attack is rather high, and the exploitation appears to be difficult.Recommendations
For RuoYi versions up to 4.7.9, apply a patch to fix this issue, specifically the patch named
9b68013b2af87b9c809c4637299abd929bc73510. As a temporary workaround, consider validating user input for the loginName argument to minimize the risk of exploitation. Restrict access to the SysUserServiceImpl function until the patch is applied.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ruoyi