CVE-2024-12869

Medium CVSS: 4.3

In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view another user's invite list. This can lead to a privacy breach where users' personal or private information, such as email addresses or usernames in the invite list, could be exposed without their consent. This data leakage can facilitate further attacks, such as phishing or spam, and result in loss of trust and potential regulatory issues.

Vendor

Infiniflow

Product

Ragflow

CWE

CWE-306

Yayın Tarihi

2025-03-20 10:15:31

Güncelleme

2025-10-15 13:15:40

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-306 Ragflow MEDIUM Infiniflow 2025

Referanslar

https://huntr.com/bounties/768b1a56-1e79-416a-8445-65953568b04a https://huntr.com/bounties/768b1a56-1e79-416a-8445-65953568b04a

Benzer Kayıtlar

Critical

CVE-2026-24770

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions,…

High

CVE-2025-68700

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged aut…

High

CVE-2025-69286

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecu…

Medium

CVE-2025-51462

Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attack…

Critical

CVE-2025-48187

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against…

Medium

CVE-2024-12871

An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowl…