CVE-2024-9048
low-risk
Published 2024-09-21
A vulnerability was found in y_project RuoYi up to 4.7.9. It has been declared as problematic. Affected by this vulnerability is the function SysUserServiceImpl of the file ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java of the component Backend User Import. The manipulation of the argument loginName leads to cross site scripting. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The patch is named 9b68013b2af87b9c809c4637299abd929bc73510. It is recommended to apply a patch to fix this issue.
Do I need to act?
-
0.14% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.1/10
Low
NETWORK
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (5)
Issue Tracking
https://gitee.com/y_project/RuoYi/issues/IAR6Q3
Permissions Required
https://vuldb.com/?ctiid.278215
Third Party Advisory
https://vuldb.com/?id.278215
17
/ 100
low-risk
Severity
11/34 · Low
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal