CRITICAL🇵🇱 Wersja polska

CVE-2025-28405

CVSS 9.8v3.1pub. 2025-04-07upd. 2025-04-09

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the changeStatus method

🤖 AI Analysis
How it works

The vulnerability classified as CWE-284 (Improper Access Control) affects the changeStatus method in the RuoYi application. A remote attacker can invoke this method without appropriate permissions, resulting in lack of proper access control verification on the server side. As a result, it is possible to escalate own privileges to a higher level in the application.

Impact

An attacker can obtain elevated privileges in the system, which potentially leads to complete takeover of the application, data modification, and violation of confidentiality and availability of resources.

Mitigation & patch

Apply patches available from the vendor according to references. It is recommended to monitor the official RuoYi project repository on GitHub to obtain current information about security patches.

Who is affected

RuoYi v.4.8.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Ruoyi

    APP
    Ruoyi
    4.8.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2025-70985CRITICAL9.1PL ✓ten sam produkt

RuoYi v4.8.2 — nieprawidłowa kontrola dostępu w funkcji aktualizacji

CVE-2024-57521CRITICAL10.0PL ✓ten sam produkt

SQL Injection (RCE) w RuoYi v.4.7.9 i wcześniejszych — funkcja createTable

CVE-2025-28406CRITICAL9.8PL ✓ten sam produkt

Eskalacja uprawnień w RuoYi v.4.8.0 poprzez parametr jobLogId

CVE-2025-28402CRITICAL9.8PL ✓ten sam produkt

Eskalacja uprawnień przez parametr jobId w RuoYi v.4.8.0

CVE-2025-28408CRITICAL9.8PL ✓ten sam produkt

RuoYi 4.8.0 — privilege escalation przez brak walidacji parametru deptId