Advisories for Maven/Com.ruoyi/Ruoyi package

2023

RuoYi vulnerable to SQL injection vulnerability

RuoYi up to v4.6 was discovered to contain a SQL injection vulnerability via /system/dept/edit.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A vulnerability, which was classified as problematic, has been found in y_project RuoYi up to 4.7.7. Affected by this issue is the function uploadFilesPath of the component File Upload. The manipulation of the argument originalFilenames leads to cross site scripting. The attack may be launched remotely. VDB-235118 is the identifier assigned to this vulnerability.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

A vulnerability was found in y_project RuoYi up to 4.7.7. It has been classified as problematic. Affected is the function filterKeyword. The manipulation of the argument value leads to resource consumption. VDB-231090 is the identifier assigned to this vulnerability.

Download of Code Without Integrity Check

An arbitrary file download vulnerability in the background management module of RuoYi v4.7.6 and below allows attackers to download arbitrary files in the server.

2022

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

An arbitrary file upload vulnerability in the background management module of RuoYi v4.7.3 and below allows attackers to execute arbitrary code via a crafted HTML file.