CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-52290: Stored XSS in Configuration Key Functionality

6.3 CVSS

Description

LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue.

Classification

CVE ID: CVE-2024-52290

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected Products

Vendor: lf-edge

Product: ekuiper

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.93% (scored less or equal to compared to others)

EPSS Date: 2025-06-12 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-52290
https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc

Timeline

2025-05-14 08:40:14 UTC
CVE

Stored XSS in Configuration Key Functionality
2025-05-14 22:15:25 UTC
Github Advisory Database (Go)

[github.com/lf-edge/ekuiper/v2] LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality
2025-05-14 22:15:25 UTC
Github Advisory Database (Go)

[github.com/lf-edge/ekuiper] LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality