CRITICAL🇵🇱 Wersja polska

CVE-2025-28402

CVSS 9.8v3.1pub. 2025-04-07upd. 2025-04-09

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobId parameter

🤖 AI Analysis
How it works

An attacker can send a crafted network request containing a manipulated jobId parameter value. Insufficient access control (CWE-284) causes the application to fail to properly verify permissions for operations related to this parameter. As a result, an unauthorized remote user is able to obtain a higher level of privileges in the system.

Impact

An attacker can take control of the application or system by obtaining elevated privileges, which threatens the confidentiality, integrity, and availability of data and system resources.

Mitigation & patch

Apply patches available from the vendor according to the references. It is recommended to monitor the official RuoYi project repository at https://github.com/yangzongzhuan/RuoYi for current information about patches.

Who is affected

RuoYi v.4.8.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Ruoyi

    APP
    Ruoyi
    4.8.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2025-70985CRITICAL9.1PL ✓ten sam produkt

RuoYi v4.8.2 — nieprawidłowa kontrola dostępu w funkcji aktualizacji

CVE-2024-57521CRITICAL10.0PL ✓ten sam produkt

SQL Injection (RCE) w RuoYi v.4.7.9 i wcześniejszych — funkcja createTable

CVE-2025-28406CRITICAL9.8PL ✓ten sam produkt

Eskalacja uprawnień w RuoYi v.4.8.0 poprzez parametr jobLogId

CVE-2025-28405CRITICAL9.8PL ✓ten sam produkt

RuoYi 4.8.0 – privilege escalation przez metodę changeStatus

CVE-2025-28408CRITICAL9.8PL ✓ten sam produkt

RuoYi 4.8.0 — privilege escalation przez brak walidacji parametru deptId