7.5

CVE-2025-46174

Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RuoyiRuoyi Version4.8.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.27% 0.179
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://gitee.com/y_project/RuoYi/issues/IC1JZR
Vendor Advisory
Issue Tracking
https://gitee.com/y_project/RuoYi/commit/ea4af7a8cf54393b11d3d286e0aaeb3df8a9aaef
Permissions Required
https://gist.github.com/Han-tj/29543ce0dae8cbb3bcbedca3390844a9
Third Party Advisory