Moderate severityNVD Advisory· Published May 14, 2025· Updated May 14, 2025
Stored XSS in Configuration Key Functionality
CVE-2024-52290
Description
LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key Name (confKey) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/lf-edge/ekuiperGo | <= 1.14.7 | — |
github.com/lf-edge/ekuiper/v2Go | < 2.1.0 | 2.1.0 |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/lf-edge/ekuiperpkg:golang/github.com/lf-edge/ekuiper/v2pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
<= 1.14.7+ 2 more
- (no CPE)range: <= 1.14.7
- (no CPE)range: < 2.1.0
- (no CPE)range: < 0.0.20250515T200012-1.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-9cwv-pxcr-hfjcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-52290ghsaADVISORY
- github.com/lf-edge/ekuiper/commit/943c02e10f0f8349e609474810eab5fa460d1a51ghsaWEB
- github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.