Improper Auth in /crm/contact/transfer – YunaiV ruoyi-vue-pro <=2025.09
CVE-2025-10278 Published on September 12, 2025

YunaiV ruoyi-vue-pro transfer improper authorization
A flaw has been found in YunaiV ruoyi-vue-pro up to 2025.09. Impacted is an unknown function of the file /crm/contact/transfer. This manipulation of the argument ids/newOwnerUserId causes improper authorization. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

NVD

Timeline

2025-09-11

Advisory disclosed

2025-09-11

VulDB entry created

2025-09-11

VulDB entry last update

Weakness Types

What is an AuthZ Vulnerability?

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVE-2025-10278 has been classified to as an AuthZ vulnerability or weakness.

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Affected Versions

YunaiV ruoyi-vue-pro Version 2025.09 is affected by CVE-2025-10278

Exploit Probability

EPSS

0.09%

Percentile

25.66%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Improper Auth in /crm/contact/transfer – YunaiV ruoyi-vue-pro <=2025.09CVE-2025-10278 Published on September 12, 2025

Timeline

Weakness Types

What is an AuthZ Vulnerability?

Incorrect Privilege Assignment

Affected Versions

Exploit Probability

Improper Auth in /crm/contact/transfer – YunaiV ruoyi-vue-pro <=2025.09
CVE-2025-10278 Published on September 12, 2025