CVE-2025-46174

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Ruoyi version 4.8.0

Description The software contains an incorrect access control issue. Specifically, a permission check is missing in the resetPwd method of the SysUserController.java file. This allows for potential privilege escalation through unauthorized password resets. The vulnerable method lacks a checkUserDataScope permission check.

Recommendations Apply a fix to include the missing checkUserDataScope permission check in the resetPwd method of the SysUserController.java file.

Fix

LPE

Improper Access Control

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-862

Related Identifiers

CVE-2025-46174

Affected Products

Ruoyi

CVE-2025-46174

Weakness Enumeration

Related Identifiers

Affected Products

References · 9