// For flags

CVE-2024-52290

Stored XSS in Configuration Key Functionality

Severity Score

6.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue.

LF Edge eKuiper es un motor ligero de análisis de datos y procesamiento de flujos del Internet de las Cosas (IoT). Antes de la versión 2.1.0, los usuarios con permisos para modificar el servicio (por ejemplo, el rol kuiperUser) podían inyectar un payload de cross-site scripting en el parámetro `Name` (`confKey`) de la clave de configuración de conexión. Tras esta configuración, cuando un usuario con acceso a este servicio (por ejemplo, el administrador) intenta eliminar esta clave, se activa un payload en el navegador de la víctima. La versión 2.1.0 soluciona el problema.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-11-06 CVE Reserved
  • 2025-05-14 CVE Published
  • 2025-05-14 CVE Updated
  • 2025-06-15 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
URL Tag Source
https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc X_refsource_confirm
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Lf-edge
Search vendor "Lf-edge"
 Ekuiper
Search vendor "Lf-edge" for product "Ekuiper"
 < 2.1.0
Search vendor "Lf-edge" for product "Ekuiper" and version " < 2.1.0"
en
Affected