CVE-2024-12871

Medium CVSS: 5.4

An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base. When the file is viewed within Ragflow, the payload is executed in the context of the user's browser. This can lead to session hijacking, data exfiltration, or unauthorized actions performed on behalf of the victim, compromising sensitive user data and affecting the integrity of the entire application.

Vendor

Infiniflow

Product

Ragflow

CWE

CWE-79

Yayın Tarihi

2025-03-20 10:15:31

Güncelleme

2025-04-01 20:34:33

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-79 Ragflow MEDIUM Infiniflow 2025

Referanslar

https://huntr.com/bounties/7903945c-2839-4dd5-9d40-9ef47fe53118 https://huntr.com/bounties/7903945c-2839-4dd5-9d40-9ef47fe53118

Benzer Kayıtlar

Critical

CVE-2026-24770

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions,…

High

CVE-2025-68700

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged aut…

High

CVE-2025-69286

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecu…

Medium

CVE-2025-51462

Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attack…

Critical

CVE-2025-48187

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against…

Medium

CVE-2024-12869

In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view anot…