XSS Vulnerability in Ragflow by Infiniflow Exposes User Data
CVE-2024-12871
5.4MEDIUM
What is CVE-2024-12871?
A Cross-Site Scripting (XSS) vulnerability in Ragflow by Infiniflow versions 0.12.0 allows attackers to upload malicious PDF files to the knowledge base. When users view these files, the embedded payload executes within their browsers. This exploitation can lead to severe consequences, including session hijacking, unauthorized actions conducted on behalf of the victim, and potential data exfiltration, thereby compromising sensitive user information and the application's overall integrity.
Affected Version(s)
infiniflow/ragflow <= unspecified
References
CVSS V3.1
Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
CVSS V3.0
Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved