Primary

Context

YunaiV yudao-cloud Improper Authorization Vulnerability in Receivable Submission

Vulnerability

An improper authorization vulnerability has been identified in YunaiV yudao-cloud versions prior to 2025.09. The issue arises in the file '/crm/receivable/submit', where the manipulation of the 'ID' argument leads to unauthorized access. This vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for broken function level authorization, enabling an attacker to access or manipulate resources or actions they are not authorized to.

Reproduction

To reproduce this vulnerability, log in with a user account that has the 'crm:receivable:update' permission. Identify a receivable ID that belongs to another user and has not yet been submitted for approval. Then, send an HTTP request to the '/crm/receivable/submit' endpoint, including the manipulated ID argument to exploit the improper authorization.

Added: Sep 12, 2025, 3:17 AM

Updated: Sep 12, 2025, 3:17 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

6.6

remediation

0.0

relevance

0.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

6.6

remediation

0.0

relevance

0.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

YunaiV yudao-cloud Improper Authorization Vulnerability in Receivable Submission

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating