CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27025
https://notcve.org/view.php?id=CVE-2023-27025
02 Apr 2023 — An arbitrary file download vulnerability in the background management module of RuoYi v4.7.6 and below allows attackers to download arbitrary files in the server. • https://gitee.com/y_project/RuoYi/commit/432d5ce1be2e9384a6230d7ccd8401eef5ce02b0 • CWE-494: Download of Code Without Integrity Check •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-48114
https://notcve.org/view.php?id=CVE-2022-48114
02 Feb 2023 — RuoYi up to v4.7.5 was discovered to contain a SQL injection vulnerability via the component /tool/gen/createTable. • https://gitee.com/y_project/RuoYi/issues/I65V2B • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2022-4566 – y_project RuoYi GenController sql injection
https://notcve.org/view.php?id=CVE-2022-4566
16 Dec 2022 — A vulnerability, which was classified as critical, has been found in y_project RuoYi 4.7.5. This issue affects some unknown processing of the file com/ruoyi/generator/controller/GenController. The manipulation leads to sql injection. The name of the patch is 167970e5c4da7bb46217f576dc50622b83f32b40. It is recommended to apply a patch to fix this issue. • https://gitee.com/y_project/RuoYi/commit/167970e5c4da7bb46217f576dc50622b83f32b40 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-707: Improper Neutralization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38241
https://notcve.org/view.php?id=CVE-2021-38241
16 Dec 2022 — Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework. Un problema de deserialización descubierto en Ruoyi anterior a 4.6.1 permite a atacantes remotos ejecutar código arbitrario a través de un cifrado débil en el framework Shiro. • https://www.du1ge.com/archives/CVE-2021-38241 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4348 – y_project RuoYi-Cloud JSON cross site scripting
https://notcve.org/view.php?id=CVE-2022-4348
08 Dec 2022 — A vulnerability was found in y_project RuoYi-Cloud. It has been rated as problematic. Affected by this issue is some unknown functionality of the component JSON Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. • https://gitee.com/y_project/RuoYi-Cloud/issues/I5IRC8 • CWE-707: Improper Neutralization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2022-32065
https://notcve.org/view.php?id=CVE-2022-32065
13 Jul 2022 — An arbitrary file upload vulnerability in the background management module of RuoYi v4.7.3 and below allows attackers to execute arbitrary code via a crafted HTML file. Una vulnerabilidad de carga de archivos arbitraria en el módulo de administración de fondo de RuoYi versiones v4.7.3 y anteriores permite a atacantes ejecutar código arbitrario por medio de un archivo HTML diseñado • https://gitee.com/y_project/RuoYi/commit/d8b2a9a905fb750fa60e2400238cf4750a77c5e6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23869
https://notcve.org/view.php?id=CVE-2022-23869
30 Mar 2022 — In RuoYi v4.7.2 through the WebUI, user test1 does not have permission to reset the password of user test3, but the password of user test3 can be reset through the /system/user/resetPwd request. En RuoYi versión v4.7.2 mediante la WebUI, el usuario test1 no presenta permiso para restablecer la contraseña del usuario test3, pero la contraseña del usuario test3 puede ser restablecida mediante la petición /system/user/resetPwd • https://gitee.com/y_project/RuoYi/issues/I4RCO2 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23868
https://notcve.org/view.php?id=CVE-2022-23868
30 Mar 2022 — RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file. RuoYi versión v4.7.2, contiene una vulnerabilidad de inyección CSV mediante ruoyi-admin cuando una víctima abre un archivo de registro .xlsx • https://gitee.com/y_project/RuoYi/issues/I4RBBD • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •