CVE-2024-26140
MEDIUMYet Analytics LRS < 1.2.17 and SQL LRS < 0.7.5 - Cross-Site Scripting via xAPI Statement
Title source: llmDescription
com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46
Patch x_refsource_misc
https://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0621
Product, Release Notes x_refsource_misc
https://clojars.org/com.yetanalytics/lrs/versions/1.2.17
Release Notes x_refsource_misc
https://github.com/yetanalytics/lrs/releases/tag/v1.2.17
Release Notes x_refsource_misc
https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5
Scores
CVSS v3
4.6
EPSS
0.0045
EPSS Percentile
35.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
com.yetanalytics/lrs
0 - 1.2.17Maven
yetanalytics/lrs
< 1.2.17
yetanalytics/sql_lrs
< 0.7.5
Published
Feb 20, 2024
Tracked Since
Feb 18, 2026