CVE-2024-12870
Stored Cross-site Scripting (XSS) in infiniflow/ragflow
Severity Score
5.4
*CVSS v3
Exploit Likelihood
< 1%
*EPSS
Affected Versions
0
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
A stored cross-site scripting (XSS) vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch (cec2080). The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' content type, which is automatically rendered by browsers. This can lead to the execution of arbitrary JavaScript in the context of the user's browser, potentially allowing attackers to steal cookies and gain unauthorized access to user files and resources. The vulnerability does not require authentication, making it accessible to anyone with network access to the instance.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-12-20 CVE Reserved
- 2025-03-20 CVE Published
- 2025-03-20 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://huntr.com/bounties/d6b497d2-5c95-4abc-8033-0... |
|
1 - 1 of 1
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions (0)
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| - | - | - | - | - | ||||||