CVE-2024-12871 MEDIUM

CVE-2024-12871: Stored Cross-site Scripting (XSS) in infiniflow/ragflow

Vendor Infiniflow
Product infiniflow/ragflow
Weakness CWE-79 · XSS
Published March 20, 2025
Last update March 20, 2025
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base. When the file is viewed within Ragflow, the payload is executed in the context of the user's browser. This can lead to session hijacking, data exfiltration, or unauthorized actions performed on behalf of the victim, compromising sensitive user data and affecting the integrity of the entire application.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-37263 WordPress Enter Addons – Ultimate Template Builder for Elementor plugin <= 2.1.6 - Cross Site Scripting (XSS) vulnerability CVE-2025-53226 WordPress Comments Capcha Box Plugin <= 1.1 - Cross Site Scripting (XSS) Vulnerability CVE-2025-48065 Combodo iTop vulnerable to reflected XSS via objection edition form error CVE-2026-4991 QDOCS Smart School Management System Admission Enquiry enquiry cross site scripting CVE-2025-46983 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)