CVE-2022-23869

Published: Mar 30, 2022Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

In RuoYi v4.7.2 through the WebUI, user test1 does not have permission to reset the password of user test3, but the password of user test3 can be reset through the /system/user/resetPwd request.

Affected (1)

Products: Ruoyi: Ruoyi

Ruoyi

1 product

Ruoyi

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ruoyi Ruoyi	Version 4.7.2

Related CWEs

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (2)

https://gitee.com/y_project/RuoYi/issues/I4RCO2

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://gitee.com/y_project/RuoYi/issues/I4RCO2

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

Timeline

No history available yet.