y_project

18 exploits Active since Mar 2022
CVE-2022-23868 GITEE HIGH java
RuoYi v4.7.2 - CSV Injection via Log File Export
RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file.
47,892 stars
CVSS 7.8
CVE-2023-3815 GITEE LOW java
RuoYi < 4.7.7 - Cross-Site Scripting via File Upload originalFilenames Parameter
A vulnerability, which was classified as problematic, has been found in y_project RuoYi up to 4.7.7. Affected by this issue is the function uploadFilesPath of the component File Upload. The manipulation of the argument originalFilenames leads to cross site scripting. The attack may be launched remotely. VDB-235118 is the identifier assigned to this vulnerability.
47,892 stars
CVSS 3.5
CVE-2023-3163 GITEE LOW java
RuoYi < 4.7.7 - Uncontrolled Resource Consumption via filterKeyword Function
A vulnerability was found in y_project RuoYi up to 4.7.7. It has been classified as problematic. Affected is the function filterKeyword. The manipulation of the argument value leads to resource consumption. VDB-231090 is the identifier assigned to this vulnerability.
47,892 stars
CVSS 3.5
CVE-2023-27025 GITEE HIGH java
RuoYi < 4.7.6 - Arbitrary File Download via Background Management Module
An arbitrary file download vulnerability in the background management module of RuoYi v4.7.6 and below allows attackers to download arbitrary files in the server.
47,892 stars
CVSS 7.5
CVE-2022-48114 GITEE CRITICAL java
RuoYi < 4.7.5 - SQL Injection via /tool/gen/createTable
RuoYi up to v4.7.5 was discovered to contain a SQL injection vulnerability via the component /tool/gen/createTable.
47,892 stars
CVSS 9.8
CVE-2022-4566 GITEE MEDIUM java
y_project RuoYi <4.7.5 - SQL Injection
A vulnerability, which was classified as critical, has been found in y_project RuoYi 4.7.5. This issue affects some unknown processing of the file com/ruoyi/generator/controller/GenController. The manipulation leads to sql injection. The name of the patch is 167970e5c4da7bb46217f576dc50622b83f32b40. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-215975.
47,892 stars
CVSS 5.5
CVE-2022-32065 GITEE MEDIUM java
RuoYi < 4.7.3 - Arbitrary File Upload and Remote Code Execution via HTML File
An arbitrary file upload vulnerability in the background management module of RuoYi v4.7.3 and below allows attackers to execute arbitrary code via a crafted HTML file.
47,892 stars
CVSS 5.4
CVE-2022-23869 GITEE MEDIUM java
RuoYi 4.7.2 - Incorrect Permission Assignment for Critical Resource via /system/user/resetPwd
In RuoYi v4.7.2 through the WebUI, user test1 does not have permission to reset the password of user test3, but the password of user test3 can be reset through the /system/user/resetPwd request.
47,892 stars
CVSS 6.5
CVE-2024-57521 GITEE CRITICAL java
RuoYi < 4.7.9 - SQL Injection via SqlUtil.java createTable Function
SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java.
47,892 stars
CVSS 10.0
CVE-2024-9048 GITEE LOW java
RuoYi < 4.7.9 - Cross-Site Scripting in Backend User Import via loginName
A vulnerability was found in y_project RuoYi up to 4.7.9. It has been declared as problematic. Affected by this vulnerability is the function SysUserServiceImpl of the file ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java of the component Backend User Import. The manipulation of the argument loginName leads to cross site scripting. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The patch is named 9b68013b2af87b9c809c4637299abd929bc73510. It is recommended to apply a patch to fix this issue.
47,892 stars
CVSS 3.1
CVE-2024-9048 GITEE LOW java
RuoYi < 4.7.9 - Cross-Site Scripting in Backend User Import via loginName
A vulnerability was found in y_project RuoYi up to 4.7.9. It has been declared as problematic. Affected by this vulnerability is the function SysUserServiceImpl of the file ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java of the component Backend User Import. The manipulation of the argument loginName leads to cross site scripting. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The patch is named 9b68013b2af87b9c809c4637299abd929bc73510. It is recommended to apply a patch to fix this issue.
47,892 stars
CVSS 3.1
CVE-2024-6511 GITEE LOW java
RuoYi < 4.7.9 - Cross-Site Scripting via Content-Type Handler
A vulnerability classified as problematic was found in y_project RuoYi up to 4.7.9. Affected by this vulnerability is the function isJsonRequest of the component Content-Type Handler. The manipulation of the argument HttpHeaders.CONTENT_TYPE leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270343.
47,892 stars
CVSS 3.5
CVE-2025-56396 GITEE HIGH java
Ruoyi 4.8.1 - Privilege Escalation via Department Ownership
An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher rights than the active user.
47,892 stars
CVSS 8.8
CVE-2025-46175 GITEE HIGH java
Ruoyi v4.8.0 - Improper Access Control in SysUserController authRole Method
Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java.
47,892 stars
CVSS 7.5
CVE-2025-46174 GITEE HIGH java
Ruoyi v4.8.0 - Improper Access Control in SysUserController resetPwd Method
Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java.
47,892 stars
CVSS 7.5
CVE-2025-70986 GITEE HIGH java
RuoYi 4.8.2 - Unauthenticated Sensitive Data Exposure via selectDept Function
Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data.
47,892 stars
CVSS 7.5
CVE-2025-70985 GITEE CRITICAL java
RuoYi 4.8.2 - Unauthenticated Improper Access Control in Update Function
Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope.
47,892 stars
CVSS 9.1
CVE-2022-4348 GITEE LOW java
RuoYi-Cloud - Cross-Site Scripting in JSON Handler
A vulnerability was found in y_project RuoYi-Cloud. It has been rated as problematic. Affected by this issue is some unknown functionality of the component JSON Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-215108.
20,132 stars
CVSS 3.5