CVE-2024-57436

HIGH7.2EPSS 0.24%

RuoYi allowed unauthorized attackers to view the session ID of the admin in the system monitoring

發布日:2025/1/29修改日:2025/1/29

描述

RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie.

受影響套件(1)

Maven/com.ruoyi:ruoyifrom 0, <= 4.8.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	HIGH7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-57436
PATCHhttps://gitee.com/y_project/RuoYi
WEBhttps://github.com/peccc/restful_vul/blob/main/ruoyi_elevation_of_privileges/ruoyi_elevation_of_privileges.md
WEBhttps://github.com/yangzongzhuan/RuoYi
WEBhttps://ruoyi.vip