GHSA-9cwv-pxcr-hfjc

Source

https://github.com/advisories/GHSA-9cwv-pxcr-hfjc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-9cwv-pxcr-hfjc/GHSA-9cwv-pxcr-hfjc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9cwv-pxcr-hfjc

Aliases

CVE-2024-52290
GO-2025-3682

Published

2025-05-14T21:41:26Z

Modified

2025-05-15T20:41:58.262374Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N CVSS Calculator

Summary

LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality

Details

Summary

Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.

Details

A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Connection Configuration key Name (confKey) parameter. Then, after any user with access to this service (e.g. admin) will try to delete this key, a payload will act in victim's browser.

PoC

Authorize as a user with rights to modificate the service (e.g. kuiperUser role).
Create a service or go to the existing one and access the Configuration > Connection page:

*Configuration > Connection page

Open any existing Connection and press on Add configuration key:

Set any name and Address, then intercept the request and add the following payload to the confKey parameter: 123%3Cimg%20src=1%20onerror%3dalert%281%29%3E:

A new configuration key then will be set:

(Optional) You can authorize another user with access to this service. For nexe steps I will use admin user
After we push on delete button (trash icon) opposite the created connection, the payload will work:

Impact

Stored Cross-site Scripting (XSS) vulnerability

Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone

Database specific

{
    "nvd_published_at": "2025-05-14T08:15:33Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-14T21:41:26Z"
}

References

Affected packages

Go / github.com/lf-edge/ekuiper

Package

Name: github.com/lf-edge/ekuiper; View open source insights on deps.dev
Purl: pkg:golang/github.com/lf-edge/ekuiper

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.14.7

Go / github.com/lf-edge/ekuiper/v2

Package

Name: github.com/lf-edge/ekuiper/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/lf-edge/ekuiper/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.0