Description
A security flaw has been discovered in lostvip-com ruoyi-go up to 2.1. Impacted is the function DownloadTmp/DownloadUpload of the file modules/system/controller/CommonController.go. Performing manipulation of the argument fileName results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
In lostvip-com ruoyi-go bis 2.1 wurde eine Schwachstelle gefunden. Hierbei betrifft es die Funktion DownloadTmp/DownloadUpload der Datei modules/system/controller/CommonController.go. Mittels Manipulieren des Arguments fileName mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Der Angriff lässt sich über das Netzwerk starten. Der Exploit steht zur öffentlichen Verfügung.
Problem types
Product status
2.1
Timeline
| 2025-08-25: | Advisory disclosed |
| 2025-08-25: | VulDB entry created |
| 2025-08-25: | VulDB entry last update |
Credits
OnTheWay (VulDB User)
References
vuldb.com/?id.321250 (VDB-321250 | lostvip-com ruoyi-go CommonController.go DownloadUpload path traversal)
vuldb.com/?ctiid.321250 (VDB-321250 | CTI Indicators (IOB, IOC, TTP, IOA))
vuldb.com/?submit.633661 (Submit #633661 | github ruoyi-go 2.1 Directory Traversal)
vuldb.com/?submit.633663 (Submit #633663 | GitHub ruoyi-go 2.1 Directory Traversal (Duplicate))
github.com/on-theway/cve/issues/1
github.com/on-theway/cve/issues/2
