VYPR
Medium severity5.4NVD Advisory· Published Mar 20, 2025· Updated Apr 15, 2026

CVE-2024-12870

CVE-2024-12870

Description

A stored cross-site scripting (XSS) vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch (cec2080). The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' content type, which is automatically rendered by browsers. This can lead to the execution of arbitrary JavaScript in the context of the user's browser, potentially allowing attackers to steal cookies and gain unauthorized access to user files and resources. The vulnerability does not require authentication, making it accessible to anyone with network access to the instance.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Infiniflow/Ragflowinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: latest commit (cec2080)

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.