CVE-2024-26140

MEDIUM

Yet Analytics LRS < 1.2.17 and SQL LRS < 0.7.5 - Cross-Site Scripting via xAPI Statement

Title source: llm
STIX 2.1

Description

com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist.

Scores

CVSS v3 4.6
EPSS 0.0045
EPSS Percentile 35.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (3)
com.yetanalytics/lrs 0 - 1.2.17Maven
yetanalytics/lrs < 1.2.17
yetanalytics/sql_lrs < 0.7.5
Published Feb 20, 2024
Tracked Since Feb 18, 2026