Unauthorized Password Reset Vulnerability in RuoYi v4.7.2 WebUI

Unauthorized Password Reset Vulnerability in RuoYi v4.7.2 WebUI

CVE-2022-23869 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

In RuoYi v4.7.2 through the WebUI, user test1 does not have permission to reset the password of user test3, but the password of user test3 can be reset through the /system/user/resetPwd request.

Learn more about our Web App Pen Testing.