CVE-2024-12870

EPSS 0.15%
Veröffentlicht 20.03.2025 10:10:45
Zuletzt bearbeitet 20.03.2025 10:15:31
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A stored cross-site scripting (XSS) vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch (cec2080). The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' content type, which is automatically rendered by browsers. This can lead to the execution of arbitrary JavaScript in the context of the user's browser, potentially allowing attackers to steal cookies and gain unauthorized access to user files and resources. The vulnerability does not require authentication, making it accessible to anyone with network access to the instance.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerinfiniflow

≫

Produkt infiniflow/ragflow

Version <= latest

Version unspecified

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.355

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	5.4	2.3	2.7	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://huntr.com/bounties/d6b497d2-5c95-4abc-8033-04b8068fed65

https://nvd.nist.gov/vuln/detail/CVE-2024-12870

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-12870

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-12870

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-12870