CVE-2024-52290

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-52290
LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue.

6.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc
https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc
Configurations

No configuration.

History

14 May 2025, 14:15

Type Values Removed Values Added
References () https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc - () https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc -
Summary
  • (es) LF Edge eKuiper es un motor ligero de análisis de datos y procesamiento de flujos del Internet de las Cosas (IoT). Antes de la versión 2.1.0, los usuarios con permisos para modificar el servicio (por ejemplo, el rol kuiperUser) podían inyectar un payload de cross-site scripting en el parámetro `Name` (`confKey`) de la clave de configuración de conexión. Tras esta configuración, cuando un usuario con acceso a este servicio (por ejemplo, el administrador) intenta eliminar esta clave, se activa un payload en el navegador de la víctima. La versión 2.1.0 soluciona el problema.

14 May 2025, 08:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-14 08:15

Updated : 2025-05-16 14:43

NVD link : CVE-2024-52290

Mitre link : CVE-2024-52290

CVE.ORG link : CVE-2024-52290

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')