CVE-2022-21660

HIGH

gin-vue-admin < 2.4.6 - Missing Authorization in setUserInfo Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-21660. PoCs published by UzJu.

AI-analyzed exploit summary This repository provides a detailed writeup and proof-of-concept for CVE-2022-21660, a vertical privilege escalation vulnerability in Gin-Vue-admin. The vulnerability allows low-privilege users to modify administrative user information, including passwords, due to insufficient ID validation in the SetUserInfo endpoint.

Description

Gin-vue-admin is a backstage management system based on vue and gin. In versions prior to 2.4.7 low privilege users are able to modify higher privilege users. Authentication is missing on the `setUserInfo` function. Users are advised to update as soon as possible. There are no known workarounds.

Exploits (1)

nomisec WRITEUP 28 stars
by UzJu · poc
https://github.com/UzJu/Gin-Vue-admin-poc-CVE-2022-21660

This repository provides a detailed writeup and proof-of-concept for CVE-2022-21660, a vertical privilege escalation vulnerability in Gin-Vue-admin. The vulnerability allows low-privilege users to modify administrative user information, including passwords, due to insufficient ID validation in the SetUserInfo endpoint.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Gin-Vue-admin (version not specified)
Auth required
Prerequisites: Access to a low-privilege account · Valid session token
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.1
EPSS 0.0110
EPSS Percentile 61.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-862
Status published
Products (1)
gin-vue-admin_project/gin-vue-admin < 2.4.6
Published Feb 09, 2022
Tracked Since Feb 18, 2026