
We found results for “”
CVE-2024-12779
Date: March 20, 2025
A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in the "POST /v1/llm/add_llm" and "POST /v1/conversation/tts" endpoints. Attackers can specify an arbitrary URL as the "api_base" when adding an "OPENAITTS" model, and subsequently access the "tts" REST API endpoint to read contents from the specified URL. This can lead to unauthorized access to internal web resources.
Severity Score
Severity Score
Weakness Type (CWE)
Server-Side Request Forgery (SSRF)
CWE-918CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | NONE |
Availability (A): | NONE |