CVE-2022-23869
MEDIUMRuoYi 4.7.2 - Incorrect Permission Assignment for Critical Resource via /system/user/resetPwd
Title source: llmDescription
In RuoYi v4.7.2 through the WebUI, user test1 does not have permission to reset the password of user test3, but the password of user test3 can be reset through the /system/user/resetPwd request.
References (1)
Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://gitee.com/y_project/RuoYi/issues/I4RCO2
Scores
CVSS v3
6.5
EPSS
0.0013
EPSS Percentile
32.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-732
Status
published
Products (1)
ruoyi/ruoyi
4.7.2
Published
Mar 30, 2022
Tracked Since
Feb 18, 2026