CVE-2024-52812
published 2025-03-10CVE-2024-52812: LF Edge eKuiper is an internet-of-things data analytics and stream processing engine. Prior to version 2.0.8, auser with rights to modify the service (e.g…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.31%
23.0th percentile
LF Edge eKuiper is an internet-of-things data analytics and stream processing engine. Prior to version 2.0.8, auser with rights to modify the service (e.g. kuiperUser role) can inject a cross-site scripting payload into the rule `id` parameter. Then, after any user with access to this service (e.g. admin) tries make any modifications with the rule (update, run, stop, delete), a payload acts in the victim's browser. Version 2.0.8 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | lf-edge_ekuiper | 0 – 1.14.7 | — |
| github.com | lf-edge_ekuiper_v2 | >= 0 < 2.0.8 | 2.0.8 |
| lf-edge | ekuiper | < 2.0.8 | 2.0.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
LF Edge eKuiper allows Stored XSS in Rules Functionality in github.com/lf-edge/ekuiper
osv·2025-03-13
CVE-2024-52812 LF Edge eKuiper allows Stored XSS in Rules Functionality in github.com/lf-edge/ekuiper
LF Edge eKuiper allows Stored XSS in Rules Functionality in github.com/lf-edge/ekuiper
LF Edge eKuiper allows Stored XSS in Rules Functionality in github.com/lf-edge/ekuiper
OSV
LF Edge eKuiper allows Stored XSS in Rules Functionality
osv·2025-03-10
CVE-2024-52812 [MEDIUM] LF Edge eKuiper allows Stored XSS in Rules Functionality
LF Edge eKuiper allows Stored XSS in Rules Functionality
### Summary
Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.
### Details
A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Rule `id` parameter. Then, after any user with access to this service (e.g. admin) will try make any modifications with the rule (update, run, stop, delete), a payload will act in victim's browser.
The issue appears as the notification to user is made in an insafe way:
h
GHSA
LF Edge eKuiper allows Stored XSS in Rules Functionality
ghsa·2025-03-10
CVE-2024-52812 [MEDIUM] CWE-79 LF Edge eKuiper allows Stored XSS in Rules Functionality
LF Edge eKuiper allows Stored XSS in Rules Functionality
### Summary
Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.
### Details
A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Rule `id` parameter. Then, after any user with access to this service (e.g. admin) will try make any modifications with the rule (update, run, stop, delete), a payload will act in victim's browser.
The issue appears as the notification to user is made in an insafe way:
h
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L681https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L716https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L735https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L794https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L809https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L824https://github.com/lf-edge/ekuiper/releases/tag/v2.0.8https://github.com/lf-edge/ekuiper/security/advisories/GHSA-6hrw-x7pr-4mp8
2025-03-10
Published