CVE-2025-7902: RuoYi 4.8.1 Vulnerable to Cross-Site Scripting (XSS)

RuoYi, a popular open-source Java-based rapid development framework, has a reported vulnerability that could allow attackers to inject malicious scripts into web pages. This is particularly concerning, as successful exploitation could lead to account compromise or other malicious activity.

Vulnerability Details

CVE ID: CVE-2025-7902
Description: A cross-site scripting (XSS) vulnerability exists in the addSave function of the com/ruoyi/web/controller/system/SysNoticeController.java file in RuoYi version 4.8.1 and earlier. This flaw allows an attacker to inject arbitrary web scripts into the browser of a user.
CVSS Score and Vector:
- CVSS v3.1: 3.5 (LOW) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
- CVSS v4.0: 5.1 (MEDIUM) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Explanation: A low CVSS score indicates that the vulnerability requires specific conditions to be met for successful exploitation. In this case, a low-privileged user must be tricked into interacting with the malicious script (e.g., clicking a link). The integrity impact is low, meaning that an attacker can modify some content but not completely compromise the system.
Exploit Requirements: An attacker needs to have a valid user account and be able to inject the malicious script into the affected function. The victim must also interact with the injected script.
Affected Vendor, Product, Version: yangzongzhuan RuoYi up to version 4.8.1
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) - This means the application is not properly sanitizing user input before displaying it on a web page, allowing an attacker to inject malicious scripts.

Timeline of Events

2025-07-20: Vulnerability Reported
2025-07-20: CVE ID Assigned
2025-07-20: Public Disclosure

Exploitability & Real-World Risk

While the CVSS score is relatively low, the real-world risk can be significant. RuoYi is often used as a backend framework for enterprise applications. A successful XSS attack could allow an attacker to steal user credentials, deface web pages, or redirect users to malicious websites. If an administrator account is compromised, the attacker could gain complete control of the application.

Recommendations

Update to the latest version: Upgrade RuoYi to a version that includes a fix for this vulnerability. Check the official RuoYi website for updates.
Input Validation: Implement robust input validation and sanitization to prevent malicious scripts from being injected into the application.
Output Encoding: Encode all output displayed on web pages to prevent the browser from interpreting it as executable code.
Web Application Firewall (WAF): Consider using a WAF to detect and block XSS attacks.

Technical Insight

The vulnerability lies within the addSave function. This function likely handles user-provided input without properly sanitizing it. By injecting specially crafted input (e.g., including <script> tags), an attacker can execute arbitrary JavaScript code in the context of the victim's browser.

Credit to Researcher(s)

This vulnerability was reported via GitHub issues.

CVE-2025-7902: RuoYi 4.8.1 Vulnerable to Cross-Site Scripting (XSS)

CVE-2025-7902: RuoYi 4.8.1 Vulnerable to Cross-Site Scripting (XSS)

Vulnerability Details

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form