216.73.217.64

CVE-2024-12880

· Published 20/03/2025 10:15 · Modified 20/03/2025 10:15

Labels: CVE-2024-12880 2025-03-20CVE-2024-12880CWE-285[email protected]

Essential information

Published
20/03/2025 10:15
Modified
20/03/2025 10:15
Author
Creator
CVSS
8.1 HIGH (v3.0)
CISA KEV
No
CWE
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CVSS metrics

Description

A vulnerability in infiniflow/ragflow version RAGFlow-0.13.0 allows for partial account takeover via insecure data querying. The issue arises from the way tenant IDs are handled in the application. If a user has access to multiple tenants, they can manipulate their tenant access to query and access API tokens of other tenants. This vulnerability affects the following endpoints: /v1/system/token_list, /v1/system/new_token, /v1/api/token_list, /v1/api/new_token, and /v1/api/rm. An attacker can exploit this to access other tenants' API tokens, perform actions on behalf of other tenants, and access their data.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
infiniflow / ragflow cpe:2.3:a:infiniflow:ragflow:RAGFlow-0.13.0:*:*:*:*:*:*:*

References