CVE-2024-12869

Exploit

EPSS 0.07%
Veröffentlicht 20.03.2025 10:11:19
Zuletzt bearbeitet 15.10.2025 13:15:40
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view another user's invite list. This can lead to a privacy breach where users' personal or private information, such as email addresses or usernames in the invite list, could be exposed without their consent. This data leakage can facilitate further attacks, such as phishing or spam, and result in loss of trust and potential regulatory issues.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Infiniflow ≫ Ragflow Version0.12.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.213

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
security@huntr.dev	4.3	2.8	1.4	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://huntr.com/bounties/768b1a56-1e79-416a-8445-65953568b04a

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-12869

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-12869

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-12869

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-12869