Home

Description

A stored cross-site scripting (XSS) vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch (cec2080). The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' content type, which is automatically rendered by browsers. This can lead to the execution of arbitrary JavaScript in the context of the user's browser, potentially allowing attackers to steal cookies and gain unauthorized access to user files and resources. The vulnerability does not require authentication, making it accessible to anyone with network access to the instance.

PUBLISHED Reserved 2024-12-20 | Published 2025-03-20 | Updated 2025-03-20 | Assigner @huntr_ai




MEDIUM: 5.4CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Any version
affected

References

huntr.com/bounties/d6b497d2-5c95-4abc-8033-04b8068fed65

cve.org (CVE-2024-12870)

nvd.nist.gov (CVE-2024-12870)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.