Enviar #600948: dromara RuoYi-Vue-Plus 5.4.0 Arbitrary File Readinformación

Títulodromara RuoYi-Vue-Plus 5.4.0 Arbitrary File Read
DescripciónIn the RuoYi-Vue-Plus project, The endpoints /demo/mail/sendMessageWithAttachment and /demo/mail/sendMessageWithAttachments in MailController.java can be accessed without authentication and allow attackers to specify arbitrary file paths as email attachments. This leads to an arbitrary file read vulnerability, enabling exfiltration of sensitive files from the server. Project Link: https://github.com/dromara/RuoYi-Vue-Plus Affected Version: 5.4.0 Affected API: /demo/mail/sendMessageWithAttachment and /demo/mail/sendMessageWithAttachments Code Location: /src/main/java/org/dromara/demo/controller/MailController.java
Fuente⚠️ https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250620-01/report.md
Usuario
 ShenxiuSecurity (UID 84374)
Sumisión2025-06-20 03:57 (hace 12 meses)
Moderación2025-06-30 15:17 (10 days later)
EstadoAceptado
Entrada de VulDB314437 [Dromara RuoYi-Vue-Plus 5.4.0 Mail MailController.java filePath recorrido de directorios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Do you want to use VulDB in your project?

Use the official API to access entries easily!