CVE-2024-12870

Name of the Vulnerable Software and Affected Versions infiniflow/ragflow version cec2080

Description A stored cross-site scripting (XSS) issue exists, allowing an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' content type, which is automatically rendered by browsers. This can lead to the execution of arbitrary JavaScript in the context of the user's browser, potentially allowing attackers to steal cookies and gain unauthorized access to user files and resources. The issue does not require authentication, making it accessible to anyone with network access to the instance.

Recommendations For version cec2080, consider restricting access to the file upload feature until a patch is available, and avoid serving user-uploaded files with the 'application/xml' content type to minimize the risk of exploitation. As a temporary workaround, consider disabling the rendering of XML files in the browser or restricting the execution of JavaScript payloads from uploaded files.