Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ruoyi-vue-pro - Incorrect Permission Namespace in ErpSaleOrderController
Vulnerability Description
ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement. Attackers holding shipment-level permissions can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders due to the controller enforcing erp:sale-out instead of the intended erp:sale-order namespace.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
YunaiV ruoyi-vue-pro 授权问题漏洞
Vulnerability Description
YunaiV ruoyi-vue-pro是YunaiV个人开发者的一款开发框架软件。 YunaiV ruoyi-vue-pro 2026.05及之前版本存在授权问题漏洞,该漏洞源于ErpSaleOrderController权限命名空间执行错误,可能导致具有erp:sale-out权限的攻击者未经授权访问销售订单操作。以下版本受到影响:2026.05及之前版本。
CVSS Information
N/A
Vulnerability Type
N/A