CVE-2024-52290
MEDIUMLF Edge eKuiper < 2.1.0 - Stored Cross-Site Scripting via Connection Configuration Name Parameter
Title source: llmDescription
LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc
Scores
CVSS v3
6.3
EPSS
0.0024
EPSS Percentile
15.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
lf-edge/ekuiper
0Go
lf-edge/ekuiper
0 - 2.1.0Go
lfedge/ekuiper
< 2.1.0
Published
May 14, 2025
Tracked Since
Feb 18, 2026