An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the changeStatus method
The vulnerability classified as CWE-284 (Improper Access Control) affects the changeStatus method in the RuoYi application. A remote attacker can invoke this method without appropriate permissions, resulting in lack of proper access control verification on the server side. As a result, it is possible to escalate own privileges to a higher level in the application.
An attacker can obtain elevated privileges in the system, which potentially leads to complete takeover of the application, data modification, and violation of confidentiality and availability of resources.
Apply patches available from the vendor according to references. It is recommended to monitor the official RuoYi project repository on GitHub to obtain current information about security patches.
RuoYi v.4.8.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRuoyi
APPRuoyi4.8.0
Related vulnerabilities
RuoYi v4.8.2 — nieprawidłowa kontrola dostępu w funkcji aktualizacji
SQL Injection (RCE) w RuoYi v.4.7.9 i wcześniejszych — funkcja createTable
Eskalacja uprawnień w RuoYi v.4.8.0 poprzez parametr jobLogId
Eskalacja uprawnień przez parametr jobId w RuoYi v.4.8.0
RuoYi 4.8.0 — privilege escalation przez brak walidacji parametru deptId