YunaiV ruoyi-vue-pro Improper Authorization Vulnerability in Contact Transfer Function

A vulnerability allowing improper authorization has been identified in YunaiV ruoyi-vue-pro versions through 2025.09. The issue resides in the contact transfer function, specifically within the file '/crm/contact/transfer'. The vulnerability arises because the application fails to properly validate authorization when transferring contact ownership, allowing users to manipulate contact IDs and transfer them to other users without proper rights. This flaw can be exploited remotely, and a proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows unauthorized users to transfer contact ownership within the system, bypassing ownership restrictions. This could lead to unauthorized access to sensitive contact information, disruption of business relationships, and potential data theft, especially regarding key customer contacts.

Reproduction

To reproduce this vulnerability, log in as a user with the 'crm:contact:update' permission, but who is not the owner of the contact being transferred. Intercept the request to transfer a contact and modify it to include the ID of a contact owned by another user, along with the ID of the new owner. Send the modified request; if successful, the contact will be transferred without proper authorization.