RuoYi Password Reset Interface Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the password reset interface of RuoYi version 4.8.0. This issue allows attackers with admin privileges to duplicate the login name of any user account, including the admin account. The duplication of the login name prevents the user from logging in, effectively causing a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the affected user, including admin users, is unable to log in to the system.

Reproduction

To reproduce this vulnerability, an attacker must log into the RuoYi system with admin privileges. Once logged in, the attacker can navigate to the password reset interface and initiate a password reset for any user account. During this process, the attacker can overwrite the original login name with a duplicate, effectively causing the original login name to be invalidated. After the login name is duplicated, the attacker can attempt to log in as the admin user, but the login will fail, demonstrating the denial-of-service condition.