YunaiV ruoyi-vue-pro Improper Authorization Vulnerability in Business Opportunity Transfer

An improper authorization vulnerability has been identified in YunaiV ruoyi-vue-pro versions through 2025.09. The issue resides in the file '/crm/business/transfer', where the application fails to properly validate authorization when transferring business opportunities. This vulnerability can be exploited remotely, allowing unauthorized users to manipulate business opportunity ownership. The vulnerability is publicly known, with an available exploit.

Impact

Exploitation of this vulnerability allows users with the 'crm:business:update' permission to transfer any business opportunity to another user, regardless of ownership. This could result in unauthorized access to sensitive business data, disruption of business processes, and potential data theft.

Reproduction

To reproduce this vulnerability, log in as a user with the 'crm:business:update' permission who does not own the business opportunity being transferred. Intercept the request to transfer a business opportunity and modify it to transfer an opportunity owned by another user to a different user. Send the modified request. The transfer will be processed successfully, indicating the vulnerability.