CVE-2024-52290
published 2025-05-14CVE-2024-52290: LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.24%
15.3th percentile
LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | lf-edge_ekuiper | 0 – 1.14.7 | — |
| github.com | lf-edge_ekuiper_v2 | >= 0 < 2.1.0 | 2.1.0 |
| lf-edge | ekuiper | < 2.1.0 | 2.1.0 |
| lfedge | ekuiper | < 2.1.0 | 2.1.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality in github.com/lf-edge/ekuiper
osv·2025-05-15
CVE-2024-52290 LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality in github.com/lf-edge/ekuiper
LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality in github.com/lf-edge/ekuiper
LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality in github.com/lf-edge/ekuiper
OSV
LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality
osv·2025-05-14
CVE-2024-52290 [MEDIUM] LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality
LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality
### Summary
Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.
### Details
A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Connection Configuration key `Name` (`confKey`) parameter. Then, after any user with access to this service (e.g. admin) will try to delete this key, a payload will act in victim's browser.
### PoC
1. Authorize as a user with rights to modificate the ser
GHSA
LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality
ghsa·2025-05-14
CVE-2024-52290 [MEDIUM] CWE-79 LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality
LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality
### Summary
Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.
### Details
A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Connection Configuration key `Name` (`confKey`) parameter. Then, after any user with access to this service (e.g. admin) will try to delete this key, a payload will act in victim's browser.
### PoC
1. Authorize as a user with rights to modificate the ser
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-14
Published