{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52290", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-11-06T19:00:26.394Z", "datePublished": "2025-05-14T07:19:50.045Z", "dateUpdated": "2025-05-14T13:21:31.315Z"}, "containers": {"cna": {"title": "Stored XSS in Configuration Key Functionality", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc"}], "affected": [{"vendor": "lf-edge", "product": "ekuiper", "versions": [{"version": "< 2.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-14T07:19:50.045Z"}, "descriptions": [{"lang": "en", "value": "LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue."}], "source": {"advisory": "GHSA-9cwv-pxcr-hfjc", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-14T13:21:27.007976Z", "id": "CVE-2024-52290", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T13:21:31.315Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-52290", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-14T13:21:27.007976Z"}}}], "references": [{"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T13:21:21.859Z"}}], "cna": {"title": "Stored XSS in Configuration Key Functionality", "source": {"advisory": "GHSA-9cwv-pxcr-hfjc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "lf-edge", "product": "ekuiper", "versions": [{"status": "affected", "version": "< 2.1.0"}]}], "references": [{"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc", "name": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-14T07:19:50.045Z"}}}, "cveMetadata": {"cveId": "CVE-2024-52290", "state": "PUBLISHED", "dateUpdated": "2025-05-14T13:21:31.315Z", "dateReserved": "2024-11-06T19:00:26.394Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-14T07:19:50.045Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lfedge:ekuiper:*:*:*:*:*:*:*:*", "matchCriteriaId": "B4F49017-28A6-4CF4-A548-7F064581539E", "versionEndExcluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue."}, {"lang": "es", "value": "LF Edge eKuiper es un motor ligero de an\u00e1lisis de datos y procesamiento de flujos del Internet de las Cosas (IoT). Antes de la versi\u00f3n 2.1.0, los usuarios con permisos para modificar el servicio (por ejemplo, el rol kuiperUser) pod\u00edan inyectar un payload de cross-site scripting en el par\u00e1metro `Name` (`confKey`) de la clave de configuraci\u00f3n de conexi\u00f3n. Tras esta configuraci\u00f3n, cuando un usuario con acceso a este servicio (por ejemplo, el administrador) intenta eliminar esta clave, se activa un payload en el navegador de la v\u00edctima. La versi\u00f3n 2.1.0 soluciona el problema."}], "id": "CVE-2024-52290", "lastModified": "2025-07-11T16:20:52.177", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-14T08:15:33.250", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}