CVE-2025-7902 is a cross-site scripting (XSS) vulnerability identified in the yangzongzhuan RuoYi framework, specifically affecting versions 4.8.0 and 4.8.1. The vulnerability resides in the addSave function within the SysNoticeController.java file (com/ruoyi/web/controller/system/SysNoticeController.java). This function likely handles the creation or saving of system notices or announcements. Due to insufficient input sanitization or output encoding, an attacker can inject malicious scripts into the input fields processed by addSave. When these scripts are rendered in a victim's browser, they execute in the context of the vulnerable web application, enabling the attacker to perform actions such as session hijacking, defacement, or redirecting users to malicious sites. The vulnerability is remotely exploitable without authentication, though it requires user interaction (e.g., a victim visiting a crafted page or viewing a malicious notice). The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), but user interaction is needed (UI:P). The impact on confidentiality is none, integrity is low, and availability is none. No known exploits are currently observed in the wild, but public disclosure of the exploit code increases the risk of exploitation. No patches or fixes are currently linked, so affected organizations must monitor vendor updates or implement mitigations. This vulnerability is typical of web applications that fail to properly sanitize user input before rendering it in HTML contexts, allowing script injection and execution in users' browsers.

For European organizations using the yangzongzhuan RuoYi framework versions 4.8.0 or 4.8.1, this XSS vulnerability poses a risk primarily to web application users and administrators. Successful exploitation could lead to session hijacking, enabling attackers to impersonate legitimate users, potentially gaining unauthorized access to sensitive information or administrative functions. It could also facilitate phishing attacks by redirecting users to malicious sites or injecting misleading content. While the vulnerability does not directly compromise system availability or confidentiality at a high level, it undermines user trust and can serve as a foothold for further attacks, including privilege escalation or malware delivery. Organizations in sectors with high reliance on web-based internal tools or public-facing portals built on RuoYi may face reputational damage and compliance risks, especially under GDPR if user data is exposed or manipulated. The need for user interaction limits automated exploitation but does not eliminate risk, particularly in environments with many users or where social engineering can be leveraged. The absence of patches means organizations must rely on compensating controls until updates are available.

1. Immediate mitigation should include implementing strict input validation and output encoding on all user-supplied data, especially in the addSave function and any other endpoints handling user input. Use established libraries or frameworks for sanitization to prevent script injection. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, reducing the impact of potential XSS payloads. 3. Monitor web application logs for unusual input patterns or error messages that may indicate attempted exploitation. 4. Educate users and administrators about the risks of clicking untrusted links or interacting with suspicious notices within the application. 5. If possible, restrict access to the vulnerable functionality to authenticated and authorized users only, reducing the attack surface. 6. Regularly check for vendor patches or updates addressing this vulnerability and apply them promptly once available. 7. Consider deploying Web Application Firewalls (WAFs) with rules tuned to detect and block common XSS attack vectors targeting the application. 8. Conduct security testing and code reviews focusing on input handling and output encoding to identify and remediate similar issues proactively.