Impact
The vulnerability is a Cross‑Site Scripting flaw (CWE‑79) located at the /system/notice/add interface of Ruoyi 4.8.2. An attacker can submit malicious input that contains JavaScript, which the application stores or reflects without proper escaping. When an end‑user views the affected notice, the injected scripts run in the user’s browser, allowing client‑side attacks such as session theft or credential compromise.
Affected Systems
Ruoyi version 4.8.2 is affected. No additional vendors or product versions are identified in the available references.
Risk and Exploitability
The CVSS score of 6.1 indicates medium severity, while the EPSS score below 1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in CISA KEV, suggesting that no widespread exploitation is known. Exploitation would likely occur through the /system/notice/add endpoint, where user input is not sanitized, allowing an attacker to embed arbitrary JavaScript that executes in the browsers of users who view the compromised notice.
OpenCVE Enrichment