CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52812 – LF Edge eKuiper has Stored XSS in Rules Functionality
https://notcve.org/view.php?id=CVE-2024-52812
10 Mar 2025 — LF Edge eKuiper is an internet-of-things data analytics and stream processing engine. Prior to version 2.0.8, auser with rights to modify the service (e.g. kuiperUser role) can inject a cross-site scripting payload into the rule `id` parameter. Then, after any user with access to this service (e.g. admin) tries make any modifications with the rule (update, run, stop, delete), a payload acts in the victim's browser. Version 2.0.8 fixes the issue. • https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L681 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43406 – LF Edge eKuiper has a SQL Injection in sqlKvStore
https://notcve.org/view.php?id=CVE-2024-43406
20 Aug 2024 — LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2. • https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •