CVE-2024-12869

In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view another user's invite list. This can lead to a privacy breach where users' personal or private information, such as email addresses or usernames in the invite list, could be exposed without their consent. This data leakage can facilitate further attacks, such as phishing or spam, and result in loss of trust and potential regulatory issues.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/768b1a56-1e79-416a-8445-65953568b04a	Exploit
https://huntr.com/bounties/768b1a56-1e79-416a-8445-65953568b04a	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:infiniflow:ragflow:0.12.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-10-15 13:15

NVD link : CVE-2024-12869

Mitre link : CVE-2024-12869

CVE.ORG link : CVE-2024-12869

JSON object : View

Products Affected

infiniflow

ragflow

CWE

CWE-306

Missing Authentication for Critical Function

NVD-CWE-noinfo

{"id": "CVE-2024-12869", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2025-03-20T10:15:31.087", "references": [{"url": "https://huntr.com/bounties/768b1a56-1e79-416a-8445-65953568b04a", "tags": ["Exploit"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/768b1a56-1e79-416a-8445-65953568b04a", "tags": ["Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-306"}]}, {"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view another user's invite list. This can lead to a privacy breach where users' personal or private information, such as email addresses or usernames in the invite list, could be exposed without their consent. This data leakage can facilitate further attacks, such as phishing or spam, and result in loss of trust and potential regulatory issues."}, {"lang": "es", "value": "En la versi\u00f3n v0.12.0 de infiniflow/ragflow, existe una vulnerabilidad de autenticaci\u00f3n incorrecta que permite a un usuario ver la lista de invitados de otro. Esto puede provocar una vulneraci\u00f3n de la privacidad, donde la informaci\u00f3n personal o privada de los usuarios, como sus direcciones de correo electr\u00f3nico o nombres de usuario en la lista de invitados, podr\u00eda quedar expuesta sin su consentimiento. Esta filtraci\u00f3n de datos puede facilitar nuevos ataques, como phishing o spam, y provocar la p\u00e9rdida de confianza y posibles problemas regulatorios."}], "lastModified": "2025-10-15T13:15:40.930", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:infiniflow:ragflow:0.12.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6EDC17D5-855D-4564-ABB4-CED9A5E4F983"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}