CVE-2024-42900 identifies a cross-site scripting (XSS) vulnerability in the Ruoyi open-source Java-based rapid development framework, specifically in versions 4.7.9 and earlier. The vulnerability resides in the createTable() function accessible via the /tool/gen/create endpoint, where the sql parameter is improperly sanitized, allowing injection of malicious JavaScript code. When a victim user accesses a crafted URL or submits malicious input, the injected script executes in their browser context, potentially allowing theft of session cookies, user impersonation, or manipulation of the web application's client-side logic. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). According to the CVSS v3.1 vector (6.1), the attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. The impact is limited to low confidentiality and integrity loss, with no availability impact. No known public exploits or patches have been reported at the time of publication. This vulnerability highlights the importance of robust input validation and output encoding in web applications, especially in frameworks used for rapid development like Ruoyi.

The primary impact of CVE-2024-42900 is the potential compromise of user confidentiality and integrity through the execution of arbitrary scripts in the victim's browser. This can lead to session hijacking, unauthorized actions performed on behalf of the user, or defacement of web content. Although the availability of the application is not directly affected, the trustworthiness and security posture of affected organizations can be undermined. Since the vulnerability requires user interaction, the attack surface is somewhat limited but still significant in environments where users access the vulnerable endpoint. Organizations relying on Ruoyi for internal or external web applications may face targeted phishing or social engineering attacks leveraging this flaw. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities rapidly after disclosure.

To mitigate CVE-2024-42900, organizations should implement strict input validation and output encoding for the sql parameter in the createTable() function to neutralize any embedded scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Until an official patch is released, consider disabling or restricting access to the /tool/gen/create endpoint to trusted users only or behind a VPN. Conduct security code reviews focusing on input handling in similar endpoints. Educate users about phishing risks and encourage cautious interaction with unexpected links or inputs. Monitor web application logs for suspicious requests targeting the vulnerable parameter. Additionally, update Ruoyi to the latest version once a patch addressing this vulnerability becomes available. Employ web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting this endpoint.