1. Home
  2. CVE Database
  3. CVE-2024-12871
MEDIUM · 5.4

CVE-2024-12871

An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base. When the file is viewed within Ragflow, the payload is executed in th...

Vulnerability Description

An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base. When the file is viewed within Ragflow, the payload is executed in the context of the user's browser. This can lead to session hijacking, data exfiltration, or unauthorized actions performed on behalf of the victim, compromising sensitive user data and affecting the integrity of the entire application.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
InfiniflowRagflow0.12.0

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2024-12871?

CVE-2024-12871 is a vulnerability with a CVSS score of 5.4 (MEDIUM). An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base. When the file is viewed within Ragflow, the payload is executed in th...

How severe is CVE-2024-12871?

CVE-2024-12871 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-12871?

Check the references section above for vendor advisories and patch information. Affected products include: Infiniflow Ragflow.