Skip to main content

Ruoyi CVE-2024-41599

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-07-19 cve@mitre.org
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 19, 2024 - 20:15 nvd
MEDIUM 6.1

DescriptionNVD

Cross Site Scripting vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the file upload method

AnalysisAI

Cross Site Scripting vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the file upload method. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Cross Site Scripting vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the file upload method Affected products include: Ruoyi.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Ruoyi

View all
CVE-2025-28412 CRITICAL POC
9.8 Apr 07

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the /editSave method in SysNoticeControlle

CVE-2025-28410 CRITICAL POC
9.8 Apr 07

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the cancelAuthUserAll method does not prop

CVE-2025-28406 CRITICAL POC
9.8 Apr 07

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobLogId parameter. Rated critical sev

CVE-2025-28405 CRITICAL POC
9.8 Apr 07

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the changeStatus method. Rated critical se

CVE-2025-28402 CRITICAL POC
9.8 Apr 07

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobId parameter. Rated critical severi

CVE-2023-49371 CRITICAL POC
9.8 Dec 01

RuoYi up to v4.6 was discovered to contain a SQL injection vulnerability via /system/dept/edit. Rated critical severity

CVE-2022-4566 CRITICAL POC
9.8 Dec 16

A vulnerability, which was classified as critical, has been found in y_project RuoYi 4.7.5. Rated critical severity (CVS

CVE-2025-70985 CRITICAL POC
9.1 Jan 23

RuoYi v4.8.2 has an access control flaw in the update function allowing unauthorized attackers to modify arbitrary data

CVE-2025-28409 HIGH POC
8.8 Apr 07

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the add method of the /add/{parentId} endp

CVE-2025-28407 HIGH POC
8.8 Apr 07

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the edit method of the /edit/{dictId} endp

CVE-2025-56396 HIGH POC
8.8 Nov 26

An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department havi

CVE-2022-23868 HIGH POC
7.8 Mar 30

RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file. Rated high s

Share

CVE-2024-41599 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy