CVE-2024-12869

low-risk
Published 2025-03-20

In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view another user's invite list. This can lead to a privacy breach where users' personal or private information, such as email addresses or usernames in the invite list, could be exposed without their consent. This data leakage can facilitate further attacks, such as phishing or spam, and result in loss of trust and potential regulatory issues.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Ragflow

Affected Vendors

Infiniflow

References (2)

Exploit https://huntr.com/bounties/768b1a56-1e79-416a-8445-65953568b04a
Exploit https://huntr.com/bounties/768b1a56-1e79-416a-8445-65953568b04a
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal