CVE-2024-12871

Source
https://cve.org/CVERecord?id=CVE-2024-12871
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-12871.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-12871
Published
2025-03-20T10:11:07.129Z
Modified
2026-07-08T07:47:11.708845068Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Stored Cross-site Scripting (XSS) in infiniflow/ragflow
Details

An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base. When the file is viewed within Ragflow, the payload is executed in the context of the user's browser. This can lead to session hijacking, data exfiltration, or unauthorized actions performed on behalf of the victim, compromising sensitive user data and affecting the integrity of the entire application.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/12xxx/CVE-2024-12871.json",
    "cna_assigner": "@huntr_ai",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/infiniflow/ragflow

Affected ranges

Type
GIT
Repo
https://github.com/infiniflow/ragflow
Events
Database specific
{
    "cpe": "cpe:2.3:a:infiniflow:ragflow:0.12.0:*:*:*:*:*:*:*",
    "source": "CPE_STRING",
    "extracted_events": [
        {
            "introduced": "0.12.0"
        },
        {
            "last_affected": "0.12.0"
        }
    ]
}

Affected versions

0.*
0.12.0
v0.*
v0.12.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-12871.json"