CVE-2024-12870

Summary

CVE-2024-12870 is a newly discovered stored cross-site scripting (XSS) vulnerability affecting the latest commit (cec2080) of the infiniflow/ragflow software. This issue enables attackers to upload malicious HTML/XML files with arbitrary JavaScript payloads, which are served with the 'application/xml' content type. Since this content type is automatically rendered by browsers, the execution of this JavaScript code can occur in the context of the user's browser. The vulnerability does not necessitate user authentication, making it accessible to anyone with network access to the instance. Consequently, attackers can potentially steal cookies and gain unauthorized access to user files and resources.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.