RuoYi Vulnerability: Cross Site Scripting Exploit Disclosed
CVE-2024-9048

6.1MEDIUM

Key Information:

Vendor: Y Project
Status: Ruoyi
Vendor: CVE Published:; 21 September 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-9048?

A vulnerability affecting the RuoYi framework was identified, specifically within the SysUserServiceImpl class of the Backend User Import component. This flaw arises from improper handling of the loginName argument, which could be exploited to perform Cross Site Scripting (XSS) attacks. The vulnerability is remotely exploitable, making it a significant concern for users of versions up to 4.7.9. Although the complexity of executing this attack is deemed high, the potential for exploitation has been publicly disclosed. It is strongly advised to implement the provided patch, identified by the hash 9b68013b2af87b9c809c4637299abd929bc73510, to secure systems against this vulnerability.

Affected Version(s)

RuoYi 4.7.0

RuoYi 4.7.1

RuoYi 4.7.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-9048 - Proof of Concept

References

https://vuldb.com/?id.278215

vdb-entrytechnical-description

https://vuldb.com/?ctiid.278215

signaturepermissions-required

https://gitee.com/y_project/RuoYi/issues/IAR6Q3

exploitissue-tracking

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Sep 21, 2024
👾
Exploit known to exist
Sep 21, 2024
Vulnerability published
Sep 21, 2024
Vulnerability Reserved
Sep 20, 2024

Credit

VulDB Gitee Analyzer

Y Project