Primary

Context

YunaiV ruoyi-vue-pro Improper Authorization Vulnerability in Contract Transfer Function

Vulnerability

A critical improper authorization vulnerability has been identified in YunaiV ruoyi-vue-pro versions prior to 2025.09. The issue arises in the file '/crm/contract/transfer', where the arguments 'id' and 'newOwnerUserId' are manipulated, leading to unauthorized actions. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized users to transfer contract ownership, potentially leading to unauthorized access or manipulation of contract-related data.

Reproduction

To reproduce this vulnerability, log in as a user with the 'crm:contract:update' permission who is not the owner of the contract. Intercept the request to transfer a contract and modify it to transfer ownership of a contract that belongs to another user.

Added: Sep 12, 2025, 3:20 AM

Updated: Sep 12, 2025, 3:20 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

0.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

0.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

YunaiV ruoyi-vue-pro Improper Authorization Vulnerability in Contract Transfer Function

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating