ghsa-6hrw-x7pr-4mp8
Vulnerability from github
Published
2025-03-10 19:28
Modified
2025-03-14 19:56
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
LF Edge eKuiper allows Stored XSS in Rules Functionality
Details

Summary

Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.

Details

A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Rule id parameter. Then, after any user with access to this service (e.g. admin) will try make any modifications with the rule (update, run, stop, delete), a payload will act in victim's browser.

The issue appears as the notification to user is made in an insafe way:

https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L681

https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L716

https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L735

https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L794

https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L809

https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L824

Such writing to 'http.ResponseWriter' bypasses HTML escaping that prevents cross-site scripting vulnerabilities.

Because of the some (meybe protection) mechanisms a real exploitation is possible only with limited special characters, but this is enough to construct a strong payload

PoC

  1. Create a rule with id: ```
``` ![Creating a malicious Rule](https://github.com/user-attachments/assets/32d4f632-1f3c-471a-857b-7c4ce41030c6) 2. Just after Rule Submition the Payload shoots: ![Running Payload](https://github.com/user-attachments/assets/81021d04-e9a4-4e7f-8644-5240dcd2324c) 3. Then, when another user (e.g. `admin`) will try to do something with this rule (e.g. start), the payload shoots in his context: ![Exploiting the admin](https://github.com/user-attachments/assets/9adf9a33-966e-415a-a613-99a9b6cd4f10) ### Impact Stored Cross-site Scripting (XSS) vulnerability Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lf-edge/ekuiper/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lf-edge/ekuiper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.14.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52812"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-10T19:28:38Z",
    "nvd_published_at": "2025-03-10T18:15:29Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nStored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users\u0027 browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.\n\n### Details\n\nA user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Rule `id` parameter. Then, after any user with access to this service (e.g. admin) will try make any modifications with the rule (update, run, stop, delete), a payload will act in victim\u0027s browser.\n\nThe issue appears as the notification to user is made in an insafe way:\n\nhttps://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L681\n\nhttps://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L716\n\nhttps://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L735\n\nhttps://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L794\n\nhttps://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L809\n\nhttps://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L824\n\nSuch writing to \u0027http.ResponseWriter\u0027  bypasses HTML escaping that prevents cross-site scripting vulnerabilities.\n\nBecause of the some (meybe protection) mechanisms a real exploitation is possible only with limited special characters, but this is enough to construct a strong payload\n\n### PoC\n1. Create a rule with id:\n```\n\u003ciframe src=\"javascript:alert`1337`\"\u003e\n```\n![Creating a malicious Rule](https://github.com/user-attachments/assets/32d4f632-1f3c-471a-857b-7c4ce41030c6)\n\n2. Just after Rule Submition the Payload shoots:\n\n![Running Payload](https://github.com/user-attachments/assets/81021d04-e9a4-4e7f-8644-5240dcd2324c)\n\n3. Then, when another user (e.g. `admin`) will try to do something with this rule (e.g. start), the payload shoots in his context:\n\n![Exploiting the admin](https://github.com/user-attachments/assets/9adf9a33-966e-415a-a613-99a9b6cd4f10)\n\n### Impact\n\nStored Cross-site Scripting (XSS) vulnerability\n\nReported by Alexey Kosmachev, Lead Pentester from Bi.Zone",
  "id": "GHSA-6hrw-x7pr-4mp8",
  "modified": "2025-03-14T19:56:46Z",
  "published": "2025-03-10T19:28:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-6hrw-x7pr-4mp8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52812"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lf-edge/ekuiper"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L681"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L716"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L735"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L794"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L809"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L824"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/releases/tag/v2.0.8"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3508"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LF Edge eKuiper allows Stored XSS in Rules Functionality"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.