Improper Authorization in yangzongzhuan RuoYi Role Handler
CVE-2025-10384

5.3MEDIUM

Key Information:

Vendor

Yangzongzhuan

Status
Ruoyi
Vendor
CVE Published:
13 September 2025

What is CVE-2025-10384?

A vulnerability exists in yangzongzhuan RuoYi versions up to 4.8.1, specifically within the Role Handler component found at /system/role/authUser/cancelAll. This flaw allows an attacker to manipulate the parameters roleId or userIds, which may lead to improper authorization during critical operations. The attack can be executed remotely, raising significant security risks. Despite being notified, the vendor has not provided any response regarding this issue.

Affected Version(s)

RuoYi 4.8.0

RuoYi 4.8.1

References

https://vuldb.com/?id.323819
vdb-entrytechnical-description
https://vuldb.com/?ctiid.323819
signaturepermissions-required
https://vuldb.com/?submit.643810
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

aibot88 (VulDB User)
.