yangzongzhuan RuoYi Frame Injection Vulnerability in Image Source Handler
Vulnerability
A frame injection vulnerability has been identified in yangzongzhuan RuoYi versions through 4.8.1. This issue arises in the Image Source Handler component, where user-controlled image source URLs can be used to load untrusted frames. This manipulation improperly restricts UI layers, potentially leading to internal service probing, information gathering, and unauthorized content manipulation within trusted contexts.
Impact
Exploitation of this vulnerability allows for frame injection, where untrusted content can be loaded into a trusted application context. This could be used to manipulate content or gather information from internal services.
Reproduction
The vulnerability can be reproduced by using the image insertion feature in the RuoYi editor. When the image dialog is opened, entering a URL that points to an untrusted frame and inserting it will trigger the vulnerability. The injected frame can then be used to probe internal services or manipulate content within the application.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.