CVE-2024-52290 Information

Description

LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key Name (confKey) parameter. After this setup when any user with access to this service (e.g. admin) tries to delete this key a payload acts in the victim’s browser. Version 2.1.0 fixes the issue.

Reference

https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc