CVE-2024-12869

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-12869

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-12869.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-12869

Published

2025-03-20T10:15:31Z

Modified

2025-04-02T08:44:41.912317Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view another user's invite list. This can lead to a privacy breach where users' personal or private information, such as email addresses or usernames in the invite list, could be exposed without their consent. This data leakage can facilitate further attacks, such as phishing or spam, and result in loss of trust and potential regulatory issues.

References

https://huntr.com/bounties/768b1a56-1e79-416a-8445-65953568b04a

Affected packages

Git / github.com/infiniflow/ragflow

Affected ranges

Type: GIT
Repo: https://github.com/infiniflow/ragflow
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

92a4a095c922690b31e9ef557b708d3920d092a9

Affected versions

v0.*

v0.1.0

v0.10.0

v0.11.0

v0.12.0

v0.2.0

v0.3.0

v0.3.1

v0.3.2

v0.4.0

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v0.9.0