CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52290 – Stored XSS in Configuration Key Functionality
https://notcve.org/view.php?id=CVE-2024-52290
14 May 2025 — LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue. LF Edge eKuiper es un motor ligero de anális... • https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52812 – LF Edge eKuiper has Stored XSS in Rules Functionality
https://notcve.org/view.php?id=CVE-2024-52812
28 Feb 2025 — LF Edge eKuiper is an internet-of-things data analytics and stream processing engine. Prior to version 2.0.8, auser with rights to modify the service (e.g. kuiperUser role) can inject a cross-site scripting payload into the rule `id` parameter. Then, after any user with access to this service (e.g. admin) tries make any modifications with the rule (update, run, stop, delete), a payload acts in the victim's browser. Version 2.0.8 fixes the issue. These are all security issues fixed in the govulncheck-vulndb-... • https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L681 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43406 – LF Edge eKuiper has a SQL Injection in sqlKvStore
https://notcve.org/view.php?id=CVE-2024-43406
20 Aug 2024 — LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2. • https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •