CVSS: 5.8EPSS: 0%CPEs: 9EXPL: 1CVE-2025-0734 – y_project RuoYi Whitelist getBeanName deserialization
https://notcve.org/view.php?id=CVE-2025-0734
27 Jan 2025 — A vulnerability has been found in y_project RuoYi up to 4.8.0 and classified as critical. This vulnerability affects the function getBeanName of the component Whitelist. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://gist.github.com/GSBP0/3c1b0f9dbdd2a48b8f52330cfbbc279b • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 6.3EPSS: 0%CPEs: 10EXPL: 1CVE-2024-9048 – y_project RuoYi Backend User Import SysUserServiceImpl.java SysUserServiceImpl cross site scripting
https://notcve.org/view.php?id=CVE-2024-9048
21 Sep 2024 — A vulnerability was found in y_project RuoYi up to 4.7.9. It has been declared as problematic. Affected by this vulnerability is the function SysUserServiceImpl of the file ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java of the component Backend User Import. The manipulation of the argument loginName leads to cross site scripting. The attack can be launched remotely. • https://vuldb.com/?id.278215 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 1CVE-2024-6511 – y_project RuoYi Content-Type isJsonRequest cross site scripting
https://notcve.org/view.php?id=CVE-2024-6511
04 Jul 2024 — A vulnerability classified as problematic was found in y_project RuoYi up to 4.7.9. Affected by this vulnerability is the function isJsonRequest of the component Content-Type Handler. The manipulation of the argument HttpHeaders.CONTENT_TYPE leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://gitee.com/y_project/RuoYi/issues/IA8O7O • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •