A flaw has been found in lostvip-com ruoyi-go up to 2.1. This impacts the function SelectListByPage of the file modules/system/system_router.go. This manipulation of the argument orderByColumn/isAsc causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
History

Tue, 26 Aug 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Ruoyi
Ruoyi ruoyi
Vendors & Products Ruoyi
Ruoyi ruoyi

Mon, 25 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in lostvip-com ruoyi-go up to 2.1. This impacts the function SelectListByPage of the file modules/system/system_router.go. This manipulation of the argument orderByColumn/isAsc causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title lostvip-com ruoyi-go system_router.go SelectListByPage sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2025-08-25T18:09:50.560Z

Reserved: 2025-08-25T08:45:51.488Z

Link: CVE-2025-9413

cve-icon Vulnrichment

Updated: 2025-08-25T18:09:00.844Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-25T18:15:32.700

Modified: 2025-08-25T20:24:45.327

Link: CVE-2025-9413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-26T08:54:54Z