An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the selectDeptTree method of the /selectDeptTree/{deptId} endpoint does not properly validate the deptId parameter
The selectDeptTree method handling the /selectDeptTree/{deptId} endpoint does not perform proper validation of the deptId parameter passed by the user. An unauthenticated remote attacker can craft an appropriate HTTP request with a manipulated deptId value, resulting in unauthorized privilege escalation in the application. The vulnerability is classified as CWE-284 (Improper Access Control), indicating a lack of access control to a sensitive resource.
An attacker can obtain elevated privileges in the system, potentially leading to complete takeover of the application, including violation of data confidentiality, integrity, and availability.
Apply patches available from the vendor according to references. It is recommended to monitor the project repository (https://github.com/yangzongzhuan/RuoYi) for updates. Until the patch is deployed, consider restricting access to the /selectDeptTree/{deptId} endpoint at the firewall or reverse proxy level.
RuoYi v.4.8.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRuoyi
APPRuoyi4.8.0
Related vulnerabilities
RuoYi v4.8.2 — nieprawidłowa kontrola dostępu w funkcji aktualizacji
SQL Injection (RCE) w RuoYi v.4.7.9 i wcześniejszych — funkcja createTable
RuoYi 4.8.0 – privilege escalation przez metodę changeStatus
Eskalacja uprawnień przez parametr jobId w RuoYi v.4.8.0
Eskalacja uprawnień w RuoYi v.4.8.0 poprzez parametr jobLogId