CVE-2022-32065: 
Java vulnerability analysis and mitigation

An arbitrary file upload vulnerability was discovered in the background management module of RuoYi version 4.7.3 and below, identified as CVE-2022-32065. The vulnerability was discovered on May 16, 2022, and allows attackers to execute arbitrary code via crafted HTML files uploaded through the avatar upload functionality (CVE Details, Gitee Issue).

The vulnerability exists in the avatar upload functionality of RuoYi's background management module. The system failed to properly validate file extensions and content during the avatar upload process, allowing attackers to upload HTML files with malicious content. The vulnerability could be exploited by uploading an HTML file with embedded XSS payloads through the avatar upload interface (GitHub Issue).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code through stored XSS attacks. When other users with management permissions access the system, they could trigger the malicious code embedded in the uploaded HTML file, potentially leading to unauthorized actions being performed in their context (Gitee Issue).

The vulnerability has been patched by implementing proper file extension validation for avatar uploads. The fix restricts uploaded files to image extensions only and was implemented in the commit d8b2a9a. Users should update to the latest version of RuoYi that includes this security fix (RuoYi Commit).