CVE-2024-12869: Improper Authentication in infiniflow/ragflow

4.3 CVSS

Description

In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view another user's invite list. This can lead to a privacy breach where users' personal or private information, such as email addresses or usernames in the invite list, could be exposed without their consent. This data leakage can facilitate further attacks, such as phishing or spam, and result in loss of trust and potential regulatory issues.

Classification

CVE ID: CVE-2024-12869

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem Types

CWE-287 Improper Authentication

Affected Products

Vendor: infiniflow

Product: infiniflow/ragflow

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 9.04% (scored less or equal to compared to others)

EPSS Date: 2025-04-17 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-12869
https://huntr.com/bounties/768b1a56-1e79-416a-8445-65953568b04a

Timeline

2025-03-20 11:40:29 UTC
CVE

Improper Authentication in infiniflow/ragflow