Skip to main content

Ruoyi CVE-2023-27025

HIGH
Download of Code Without Integrity Check (CWE-494)
2023-04-02 cve@mitre.org
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 02, 2023 - 01:15 nvd
HIGH 7.5

DescriptionNVD

An arbitrary file download vulnerability in the background management module of RuoYi v4.7.6 and below allows attackers to download arbitrary files in the server.

AnalysisAI

An arbitrary file download vulnerability in the background management module of RuoYi v4.7.6 and below allows attackers to download arbitrary files in the server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-494. An arbitrary file download vulnerability in the background management module of RuoYi v4.7.6 and below allows attackers to download arbitrary files in the server. Affected products include: Ruoyi.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Ruoyi

View all
CVE-2025-28412 CRITICAL POC
9.8 Apr 07

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the /editSave method in SysNoticeControlle

CVE-2025-28410 CRITICAL POC
9.8 Apr 07

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the cancelAuthUserAll method does not prop

CVE-2025-28406 CRITICAL POC
9.8 Apr 07

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobLogId parameter. Rated critical sev

CVE-2025-28405 CRITICAL POC
9.8 Apr 07

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the changeStatus method. Rated critical se

CVE-2025-28402 CRITICAL POC
9.8 Apr 07

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobId parameter. Rated critical severi

CVE-2023-49371 CRITICAL POC
9.8 Dec 01

RuoYi up to v4.6 was discovered to contain a SQL injection vulnerability via /system/dept/edit. Rated critical severity

CVE-2022-4566 CRITICAL POC
9.8 Dec 16

A vulnerability, which was classified as critical, has been found in y_project RuoYi 4.7.5. Rated critical severity (CVS

CVE-2025-70985 CRITICAL POC
9.1 Jan 23

RuoYi v4.8.2 has an access control flaw in the update function allowing unauthorized attackers to modify arbitrary data

CVE-2025-28409 HIGH POC
8.8 Apr 07

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the add method of the /add/{parentId} endp

CVE-2025-28407 HIGH POC
8.8 Apr 07

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the edit method of the /edit/{dictId} endp

CVE-2025-56396 HIGH POC
8.8 Nov 26

An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department havi

CVE-2022-23868 HIGH POC
7.8 Mar 30

RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file. Rated high s

Share

CVE-2023-27025 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy