CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-57436
https://notcve.org/view.php?id=CVE-2024-57436
29 Jan 2025 — RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie. • https://github.com/peccc/restful_vul/blob/main/ruoyi_elevation_of_privileges/ruoyi_elevation_of_privileges.md • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-57437
https://notcve.org/view.php?id=CVE-2024-57437
29 Jan 2025 — RuoYi v4.8.0 was discovered to contain a SQL injection vulnerability via the orderby parameter at /monitor/online/list. • https://gitee.com/y_project/RuoYi • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-57438
https://notcve.org/view.php?id=CVE-2024-57438
29 Jan 2025 — Insecure permissions in RuoYi v4.8.0 allows authenticated attackers to escalate privileges by assigning themselves higher level roles. • https://gitee.com/y_project/RuoYi • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-57439
https://notcve.org/view.php?id=CVE-2024-57439
29 Jan 2025 — An issue in the reset password interface of ruoyi v4.8.0 allows attackers with Admin privileges to cause a Denial of Service (DoS) by duplicating the login name of the account. • https://gitee.com/y_project/RuoYi • CWE-281: Improper Preservation of Permissions •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54762
https://notcve.org/view.php?id=CVE-2024-54762
09 Jan 2025 — Ruoyi v.4.7.9 and before contains an authenticated SQL injection vulnerability. This is because the filterKeyword method does not completely filter SQL injection keywords, resulting in the risk of SQL injection. • https://github.com/yangzongzhuan/RuoYi • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46076
https://notcve.org/view.php?id=CVE-2024-46076
07 Oct 2024 — RuoYi v4.7.9 and before has a security flaw that allows escaping from comments within the code generation feature, enabling the injection of malicious code. • https://gist.github.com/kkll5875/f237f200bae6db6b47eea3236d82ad0d • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42900
https://notcve.org/view.php?id=CVE-2024-42900
28 Aug 2024 — Ruoyi v4.7.9 and before was discovered to contain a cross-site scripting (XSS) vulnerability via the sql parameter of the createTable() function at /tool/gen/create. • https://g03m0n.github.io/posts/cve-2024-42900 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-42913
https://notcve.org/view.php?id=CVE-2024-42913
26 Aug 2024 — RuoYi CMS v4.7.9 was discovered to contain a SQL injection vulnerability via the job_id parameter at /sasfs1. • https://github.com/kkll5875/CVE-2024-42913 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41599
https://notcve.org/view.php?id=CVE-2024-41599
19 Jul 2024 — Cross Site Scripting vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the file upload method Vulnerabilidad de Cross Site Scripting en RuoYi v.4.7.9 y anteriores permite a un atacante remoto ejecutar código arbitrario a través del método de carga de archivos • https://github.com/topsky979/Security-Collections/tree/main/CVE-2024-41599 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29400
https://notcve.org/view.php?id=CVE-2024-29400
12 Apr 2024 — An issue was discovered in RuoYi v4.5.1, allows attackers to obtain sensitive information via the status parameter. Se descubrió un problema en RuoYi v4.5.1 que permite a los atacantes obtener información confidencial a través del parámetro de estado. • https://github.com/Fr1ezy/RuoYi_info • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •