CVE-2025-10276

State: PUBLISHED · Published: 2025-09-12 · Updated: 2025-09-12 · Assigner: VulDB

Description

A security vulnerability has been detected in YunaiV ruoyi-vue-pro up to 2025.09. This vulnerability affects unknown code of the file /crm/contract/transfer. The manipulation of the argument id/newOwnerUserId leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE

CWE-285 — Improper Authorization
CWE-266 — Incorrect Privilege Assignment

Affected

YunaiV / ruoyi-vue-pro — v=2025.09 [affected]

CVSS

4.0 score=5.3 severity=MEDIUM CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
3.1 score=6.3 severity=MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
3.0 score=6.3 severity=MEDIUM CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
2.0 score=6.5 severity= AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

References

https://vuldb.com/?id.323646 vdb-entry, technical-description
https://vuldb.com/?ctiid.323646 signature, permissions-required
https://vuldb.com/?submit.643386 third-party-advisory
https://www.cnblogs.com/aibot/p/19063567 broken-link, exploit

Source

cvelistV5-main/cves/2025/10xxx/CVE-2025-10276.json