YunaiV yudao-cloud Improper Authorization Vulnerability in Contact Transfer Function

A critical vulnerability has been identified in YunaiV yudao-cloud versions prior to 2025.09. The issue resides in the HTTP Request Handler component, specifically within the file '/crm/contact/transfer'. This vulnerability allows for improper authorization by manipulating the 'contactId' argument, enabling unauthorized users to transfer contacts between accounts. The vulnerability can be exploited remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability allows an attacker with the 'crm:contact:update' permission to transfer contacts from other users to themselves or to different accounts. This unauthorized access and control over contact information could lead to data theft and facilitate further attacks.

Reproduction

To reproduce this vulnerability, log in with a user account that has the 'crm:contact:update' permission. Once logged in, identify a contact ID that belongs to another user. Next, determine a new owner ID, which can be your own user ID. Send a PUT request to '/crm/contact/transfer' with the contact ID and new owner ID. If the request is successful, the contact will be transferred, confirming the vulnerability.