CVE-2023-3815 — RuoYi vulnerable to Cross-site Scripting

Description

A vulnerability, which was classified as problematic, has been found in y_project RuoYi up to 4.7.7. Affected by this issue is the function `uploadFilesPath` of the component `File Upload`. The manipulation of the argument `originalFilenames` leads to cross site scripting. The attack may be launched remotely. VDB-235118 is the identifier assigned to this vulnerability.

How to fix CVE-2023-3815

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2023-3815 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 4.7.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.5	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-3815
PATCHgitee.com/y_project/RuoYi
WEBgitee.com/y_project/RuoYi/issues/I7IL85
WEBvuldb.com/?ctiid.235118
WEBvuldb.com/?id.235118