Stored Cross-Site Scripting Vulnerability in Infiniflow's Ragflow
CVE-2024-12870

5.4MEDIUM

Key Information:

Vendor: Infiniflow
Status: Infiniflow/ragflow
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-12870?

A stored cross-site scripting vulnerability has been identified in Infiniflow's Ragflow, allowing attackers to upload harmful HTML/XML files containing arbitrary JavaScript payloads. When a user accesses these files, their browser automatically renders the content due to the 'application/xml' content type, potentially executing malicious scripts in the user's session. This can result in unauthorized actions such as cookie theft and access to sensitive user data without requiring any form of authentication, making it a highly exploitable risk for users with network access to the affected instance.

Affected Version(s)

infiniflow/ragflow <= unspecified

References

https://huntr.com/bounties/d6b497d2-5c95-4abc-8033-04b806...

CVSS V3.0

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Dec 20, 2024