CVE-2024-9048
LOWRuoYi < 4.7.9 - Cross-Site Scripting in Backend User Import via loginName
Title source: llmDescription
A vulnerability was found in y_project RuoYi up to 4.7.9. It has been declared as problematic. Affected by this vulnerability is the function SysUserServiceImpl of the file ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java of the component Backend User Import. The manipulation of the argument loginName leads to cross site scripting. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The patch is named 9b68013b2af87b9c809c4637299abd929bc73510. It is recommended to apply a patch to fix this issue.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.278215
Permissions Required, Third Party Advisory, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.278215
Issue Tracking exploit
issue-tracking
https://gitee.com/y_project/RuoYi/issues/IAR6Q3
Issue Tracking issue-tracking
https://gitee.com/y_project/RuoYi/issues/IAR6Q3#note_31993641_link
Patch, Permissions Required patch
https://gitee.com/y_project/RuoYi/commit/9b68013b2af87b9c809c4637299abd929bc73510
Scores
CVSS v3
3.1
EPSS
0.0014
EPSS Percentile
33.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
ruoyi/ruoyi
< 4.7.9
Published
Sep 21, 2024
Tracked Since
Feb 18, 2026