CVE-2025-7902
BaseFortify
Publication date: 2025-07-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ruoyi | ruoyi | to 4.8.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7902 is a stored Cross-Site Scripting (XSS) vulnerability in the RuoYi project up to version 4.8.1. It occurs in the addSave function of the SysNoticeController.java file, where user input for notification announcements is not sanitized or restricted. Attackers can insert malicious scripts into these announcements, which are stored in the database and later rendered without encoding or escaping. When users view these announcements, the malicious scripts execute in their browsers, potentially leading to unauthorized actions. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary JavaScript in the context of the affected application. The impacts include session hijacking, defacement, and other malicious activities that can compromise user data integrity and trust. Since the malicious scripts run in users' browsers, attackers can manipulate user sessions or perform actions on behalf of users without their consent. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the notification announcement feature for stored XSS. Specifically, you can attempt to add a notification with a malicious script payload via a POST request to the endpoint /system/notice/add, for example by injecting a script tag in the noticeContent parameter. Then, access the edit page /system/notice/edit/{noticeId} to see if the script executes. A sample curl command to test this could be: curl -X POST -d "noticeContent=<script>alert('XSS')</script>" https://your-ruoyi-instance/system/notice/add If the alert executes when viewing the edit page, the vulnerability is present. Monitoring HTTP requests and responses for unescaped script tags in the notification content can also help detect exploitation attempts. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable addSave function by restricting access to the notification announcement feature, especially limiting who can add or edit notices. Input validation and sanitization should be implemented to neutralize any script tags or malicious content before storing it in the database. Additionally, output encoding or escaping should be applied when rendering the notification content on the edit page to prevent script execution. If possible, consider replacing or upgrading the affected component to a version without this vulnerability or applying patches once available. [2, 3]