SecuriTricks - CVE-2025-4537

Description

A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.8.9 and classified as problematic. Affected by this issue is some unknown functionality of the file ruoyi-ui/jsencrypt.js and ruoyi-ui/login.vue of the component Password Handler. The manipulation leads to cleartext storage of sensitive information in a cookie. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

Product(s) Impacted

Vendor	Product	Versions
Yangzongzhuan	Ruoyi-vue	<=3.8.9

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-312

Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	yangzongzhuan	ruoyi-vue	<=3.8.9	/	/	/	/	/	/	/

References

https://magnificent-dill-351.notion.site/Password-Disclosure-in-RuoYi-Vue-3-8-9-1e3c693918ed80ee9799f270c8346cd4

https://vuldb.com/?ctiid.308282

https://vuldb.com/?id.308282

https://vuldb.com/?submit.566469

CVSS Score

2.3 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: HIGH
Attack Requirements: NONE
Privileges Required: NONE
User Interaction: PASSIVE
Scope:
Confidentiality Impact: LOW
Integrity Impact: NONE
Availability Impact: NONE
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: May 11, 2025, 10:15 a.m.
Last Modified: May 11, 2025, 10:15 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cna@vuldb.com

CVE-2025-4537