ghsa-9cwv-pxcr-hfjc
Vulnerability from github
Published
2025-05-14 21:41
Modified
2025-05-14 21:41
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Summary
LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality
Details

Summary

Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.

Details

A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Connection Configuration key Name (confKey) parameter. Then, after any user with access to this service (e.g. admin) will try to delete this key, a payload will act in victim's browser.

PoC

  1. Authorize as a user with rights to modificate the service (e.g. kuiperUser role).
  2. Create a service or go to the existing one and access the Configuration > Connection page:

*Configuration > Connection page

  1. Open any existing Connection and press on Add configuration key:

image

  1. Set any name and Address, then intercept the request and add the following payload to the confKey parameter: 123%3Cimg%20src=1%20onerror%3dalert%281%29%3E:

image

  1. A new configuration key then will be set:

image

  1. (Optional) You can authorize another user with access to this service. For nexe steps I will use admin user
  2. After we push on delete button (trash icon) opposite the created connection, the payload will work:

image

Impact

Stored Cross-site Scripting (XSS) vulnerability

Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lf-edge/ekuiper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.14.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lf-edge/ekuiper/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-14T21:41:26Z",
    "nvd_published_at": "2025-05-14T08:15:33Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nStored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users\u0027 browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.\n\n### Details\nA user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Connection Configuration key `Name` (`confKey`) parameter. Then, after any user with access to this service (e.g. admin) will try to delete this key, a payload will act in victim\u0027s browser.\n\n### PoC\n1. Authorize as a user with rights to modificate the service (e.g. kuiperUser role).\n2. Create a service or go to the existing one and access the *Configuration \u003e Connection* page:\n\n![*Configuration \u003e Connection page](https://github.com/user-attachments/assets/d29cbc23-04a4-4a49-bbd9-b26f74282c5c)\n\n3. Open any existing Connection and press on `Add configuration key`:\n\n![image](https://github.com/user-attachments/assets/623dc76a-076c-41be-98d7-8fd42ed4e8fd)\n\n4. Set any name and Address, then intercept the request and add the following payload to the `confKey` parameter: `123%3Cimg%20src=1%20onerror%3dalert%281%29%3E`:\n\n![image](https://github.com/user-attachments/assets/405000db-ace9-4bca-ac52-7dc44c54a0ae)\n\n5. A new configuration key then will be set: \n\n![image](https://github.com/user-attachments/assets/43b75f1e-81ac-4815-9250-c1a0707827d3)\n\n6. *(Optional)* You can authorize another user with access to this service. For nexe steps I will use admin user\n7. After we push on delete button (trash icon) opposite the created connection, the payload will work:\n\n![image](https://github.com/user-attachments/assets/05a38899-343b-4f76-b6c7-8e27587e3cdf)\n\n\n### Impact\nStored Cross-site Scripting (XSS) vulnerability\n\nReported by Alexey Kosmachev, Lead Pentester from Bi.Zone",
  "id": "GHSA-9cwv-pxcr-hfjc",
  "modified": "2025-05-14T21:41:26Z",
  "published": "2025-05-14T21:41:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52290"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/commit/943c02e10f0f8349e609474810eab5fa460d1a51"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lf-edge/ekuiper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.