CVE-2024-12871: Stored Cross-site Scripting (XSS) in infiniflow/ragflow
First published: Thu Mar 20 2025(Updated: )
An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base. When the file is viewed within Ragflow, the payload is executed in the context of the user's browser. This can lead to session hijacking, data exfiltration, or unauthorized actions performed on behalf of the victim, compromising sensitive user data and affecting the integrity of the entire application.
Credit: security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| RAGFlow | ||
| RAGFlow | =0.12.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-12871?
CVE-2024-12871 is classified as a medium severity XSS vulnerability that can lead to session hijacking.
How do I fix CVE-2024-12871?
To fix CVE-2024-12871, ensure you update to a patched version of infiniflow/ragflow that mitigates the XSS vulnerability.
What are the risks associated with CVE-2024-12871?
The risks associated with CVE-2024-12871 include potential session hijacking and unauthorized access to user data.
Which versions of infiniflow/ragflow are affected by CVE-2024-12871?
CVE-2024-12871 affects infiniflow/ragflow version 0.12.0.
Can CVE-2024-12871 be exploited remotely?
Yes, CVE-2024-12871 can be exploited remotely when a user opens a malicious PDF file uploaded to the knowledge base.
- agent/references
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/author
- agent/source
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- collector/nvd-api
- source/NVD
- vendor/infiniflow
- canonical/ragflow
- version/ragflow/0.12.0