Primary

Context

YunaiV yudao-cloud Improper Authorization Vulnerability in Business Transfer Function

Vulnerability

An improper authorization vulnerability has been identified in YunaiV yudao-cloud versions prior to 2025.09. This vulnerability affects an unknown part of the file '/crm/business/transfer'. Manipulating the 'ids/newOwnerUserId' argument can lead to unauthorized actions. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for improper authorization, enabling users to perform actions or access resources without the necessary permissions.

Reproduction

To reproduce this vulnerability, log in with a user account that has the 'crm:business:update' permission. Identify a business ID that belongs to another user and a new owner ID, which can be your own user ID. Then, send an HTTP request that includes the manipulated 'ids/newOwnerUserId' argument to the '/crm/business/transfer' endpoint.

Added: Sep 12, 2025, 2:16 AM

Updated: Sep 12, 2025, 2:16 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

0.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

0.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

YunaiV yudao-cloud Improper Authorization Vulnerability in Business Transfer Function

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating