RUoYi Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in RUoYi version 4.8.0. The issue arises in the 'editSave' method of the 'GenController' component, where a lack of proper access control allows remote attackers to escalate privileges. By sending a crafted request, unauthorized users can modify code generation configurations intended for administrators, potentially altering system behavior or injecting malicious code templates. This vulnerability could lead to unauthorized modifications of business logic, privilege escalation, or the creation of backdoors for executing arbitrary business logic within the application.

Impact

Exploitation of this vulnerability allows for vertical privilege escalation, enabling ordinary users to gain unauthorized access to administrative functionalities.

Reproduction

To reproduce this vulnerability, an ordinary user must access the '/tool/gen/editSave' method in the 'GenController'. After editing a configuration and saving it, the absence of access controls will be evident as the changes are successfully applied, demonstrating the privilege escalation flaw.