Ruoyi Vue
Monthly
Unrestricted file upload in RuoYi-Vue (versions 3.9.0-3.9.2) exposes the FileUploadUtils.upload function at the /common/upload endpoint to arbitrary file upload by authenticated remote attackers, potentially enabling server-side code execution if the uploaded file is accessible and executed by the web server. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) scores 5.3 Medium, reflecting low-privilege authentication as the primary barrier; no compensating controls enforce file-type validation at the endpoint. No public exploit code has been identified and no active exploitation is confirmed, though the vendor did not respond to responsible disclosure, leaving the fix status unresolved.
A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.8.9 and classified as problematic. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Unrestricted file upload in RuoYi-Vue (versions 3.9.0-3.9.2) exposes the FileUploadUtils.upload function at the /common/upload endpoint to arbitrary file upload by authenticated remote attackers, potentially enabling server-side code execution if the uploaded file is accessible and executed by the web server. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) scores 5.3 Medium, reflecting low-privilege authentication as the primary barrier; no compensating controls enforce file-type validation at the endpoint. No public exploit code has been identified and no active exploitation is confirmed, though the vendor did not respond to responsible disclosure, leaving the fix status unresolved.
A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.8.9 and classified as problematic. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.