Sanlang

**Name of the Vulnerable Software and Affected Versions** RuoYi version 4.7.2 **Description** The issue is related to a CSV injection vulnerability. This vulnerability can be exploited when a victim opens a .xlsx log file through ruoyi-admin. **Recommendations** For RuoYi version 4.7.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuoYi versions 4.7.2 **Description** The issue allows a user without permission to reset another user's password through a specific API endpoint. Specifically, user `test1` does not have permission to reset the password of user `test3` via the WebUI, but can do so through the "/system/user/resetPwd" API endpoint. **Recommendations** For RuoYi version 4.7.2, as a temporary workaround, consider restricting access to the "/system/user/resetPwd" API endpoint to prevent unauthorized password resets. Additionally, review and adjust the permission settings to ensure that only authorized users can reset passwords. At the moment, there is no information about a newer version that contains a fix for this vulnerability.