CVE-2024-52290 (GCVE-0-2024-52290)
Vulnerability from cvelistv5 – Published: 2025-05-14 07:19 – Updated: 2025-05-14 13:21
VLAI?
Title
Stored XSS in Configuration Key Functionality
Summary
LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue.
Severity ?
6.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52290",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T13:21:27.007976Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T13:21:31.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ekuiper",
"vendor": "lf-edge",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim\u0027s browser. Version 2.1.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T07:19:50.045Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc"
}
],
"source": {
"advisory": "GHSA-9cwv-pxcr-hfjc",
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Configuration Key Functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52290",
"datePublished": "2025-05-14T07:19:50.045Z",
"dateReserved": "2024-11-06T19:00:26.394Z",
"dateUpdated": "2025-05-14T13:21:31.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52290\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-14T13:21:27.007976Z\"}}}], \"references\": [{\"url\": \"https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-14T13:21:21.859Z\"}}], \"cna\": {\"title\": \"Stored XSS in Configuration Key Functionality\", \"source\": {\"advisory\": \"GHSA-9cwv-pxcr-hfjc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"lf-edge\", \"product\": \"ekuiper\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.1.0\"}]}], \"references\": [{\"url\": \"https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc\", \"name\": \"https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim\u0027s browser. Version 2.1.0 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-14T07:19:50.045Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-52290\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-14T13:21:31.315Z\", \"dateReserved\": \"2024-11-06T19:00:26.394Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-14T07:19:50.045Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-9CWV-PXCR-HFJC
Vulnerability from github – Published: 2025-05-14 21:41 – Updated: 2025-05-14 21:41
VLAI?
Summary
LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality
Details
Summary
Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.
Details
A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Connection Configuration key Name (confKey) parameter. Then, after any user with access to this service (e.g. admin) will try to delete this key, a payload will act in victim's browser.
PoC
- Authorize as a user with rights to modificate the service (e.g. kuiperUser role).
- Create a service or go to the existing one and access the Configuration > Connection page:
- Open any existing Connection and press on
Add configuration key:
- Set any name and Address, then intercept the request and add the following payload to the
confKeyparameter:123%3Cimg%20src=1%20onerror%3dalert%281%29%3E:
- A new configuration key then will be set:
- (Optional) You can authorize another user with access to this service. For nexe steps I will use admin user
- After we push on delete button (trash icon) opposite the created connection, the payload will work:
Impact
Stored Cross-site Scripting (XSS) vulnerability
Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone
Severity ?
6.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lf-edge/ekuiper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.14.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/lf-edge/ekuiper/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52290"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-14T21:41:26Z",
"nvd_published_at": "2025-05-14T08:15:33Z",
"severity": "MODERATE"
},
"details": "### Summary\nStored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users\u0027 browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.\n\n### Details\nA user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Connection Configuration key `Name` (`confKey`) parameter. Then, after any user with access to this service (e.g. admin) will try to delete this key, a payload will act in victim\u0027s browser.\n\n### PoC\n1. Authorize as a user with rights to modificate the service (e.g. kuiperUser role).\n2. Create a service or go to the existing one and access the *Configuration \u003e Connection* page:\n\n\n\n3. Open any existing Connection and press on `Add configuration key`:\n\n\n\n4. Set any name and Address, then intercept the request and add the following payload to the `confKey` parameter: `123%3Cimg%20src=1%20onerror%3dalert%281%29%3E`:\n\n\n\n5. A new configuration key then will be set: \n\n\n\n6. *(Optional)* You can authorize another user with access to this service. For nexe steps I will use admin user\n7. After we push on delete button (trash icon) opposite the created connection, the payload will work:\n\n\n\n\n### Impact\nStored Cross-site Scripting (XSS) vulnerability\n\nReported by Alexey Kosmachev, Lead Pentester from Bi.Zone",
"id": "GHSA-9cwv-pxcr-hfjc",
"modified": "2025-05-14T21:41:26Z",
"published": "2025-05-14T21:41:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52290"
},
{
"type": "WEB",
"url": "https://github.com/lf-edge/ekuiper/commit/943c02e10f0f8349e609474810eab5fa460d1a51"
},
{
"type": "PACKAGE",
"url": "https://github.com/lf-edge/ekuiper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality"
}
FKIE_CVE-2024-52290
Vulnerability from fkie_nvd - Published: 2025-05-14 08:15 - Updated: 2025-07-11 16:20
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc | Exploit, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc | Exploit, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lfedge:ekuiper:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F49017-28A6-4CF4-A548-7F064581539E",
"versionEndExcluding": "2.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim\u0027s browser. Version 2.1.0 fixes the issue."
},
{
"lang": "es",
"value": "LF Edge eKuiper es un motor ligero de an\u00e1lisis de datos y procesamiento de flujos del Internet de las Cosas (IoT). Antes de la versi\u00f3n 2.1.0, los usuarios con permisos para modificar el servicio (por ejemplo, el rol kuiperUser) pod\u00edan inyectar un payload de cross-site scripting en el par\u00e1metro `Name` (`confKey`) de la clave de configuraci\u00f3n de conexi\u00f3n. Tras esta configuraci\u00f3n, cuando un usuario con acceso a este servicio (por ejemplo, el administrador) intenta eliminar esta clave, se activa un payload en el navegador de la v\u00edctima. La versi\u00f3n 2.1.0 soluciona el problema."
}
],
"id": "CVE-2024-52290",
"lastModified": "2025-07-11T16:20:52.177",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-05-14T08:15:33.250",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…