PT-2025-21781 · Unknown · Y Project Ruoyi
Unnlucky1
·
Published
2025-05-17
·
Updated
2025-10-10
·
CVE-2025-4819
CVSS v4.0
2.3
Low
| Vector | AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
y project RuoYi version 4.8.0
Description:
A vulnerability has been found in y project RuoYi. It affects an unknown function of the file /monitor/online/batchForceLogout of the component Offline Logout. The manipulation of the
ids argument leads to improper authorization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.Recommendations:
For y project RuoYi version 4.8.0, as a temporary workaround, consider disabling the functionality related to the /monitor/online/batchForceLogout file until a patch is available. Restrict access to the Offline Logout component to minimize the risk of exploitation. Avoid using the
ids argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Improper Authorization
Incorrect Privilege Assignment
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Y Project Ruoyi