CVE-2024-52290

Name of the Vulnerable Software and Affected Versions: LF Edge eKuiper versions prior to 2.1.0

Description: LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. A user with rights to modify the service, such as the kuiperUser role, can inject a cross-site scripting payload into the Connection Configuration key Name (confKey) parameter. After this setup, when any user with access to this service, such as an admin, tries to delete this key, the payload acts in the victim's browser.

Recommendations: For versions prior to 2.1.0, update to version 2.1.0 to fix the issue. As a temporary workaround, consider restricting access to the Connection Configuration key to minimize the risk of exploitation. Avoid using the Name (confKey) parameter in the affected Connection Configuration until the issue is resolved.