Primary

Context

RuoYi Unauthorized Session ID Exposure Vulnerability Allowing Admin Impersonation

Vulnerability

An elevation of privilege vulnerability exists in RuoYi version 4.8.0, allowing unauthorized users with system monitoring privileges to view the admin session ID. This exposure can be exploited to impersonate admin users by using a crafted cookie that includes the captured session ID.

Impact

Exploitation of this vulnerability allows for unauthorized users to impersonate admin users, potentially leading to unauthorized access and privileges within the application.

Reproduction

To reproduce this vulnerability, a user with system monitoring privileges must access the system monitoring feature, where the admin session ID is displayed. Once the session ID is obtained, it can be used to impersonate the admin by crafting a cookie that includes the session ID and sending it to the application.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

RuoYi Unauthorized Session ID Exposure Vulnerability Allowing Admin Impersonation

Vulnerability

Impact

Reproduction

Affected Products

RuoYi

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating