LF Edge eKuiper
Moderate fix1 remedy
cpe:2.3:a:lfedge:ekuiper:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 1.14.4
LF Edge eKuiper Stored Cross-Site Scripting Vulnerability
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in LF Edge eKuiper versions through 1.14.4. This issue allows users with the kuiperUser role to inject malicious scripts into the Connection Configuration key 'Name' parameter. When an admin user attempts to delete the key, the injected script is executed in the admin's browser, potentially leading to session hijacking or unauthorized access to sensitive information.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of other users' browsers.
Reproduction
To reproduce this vulnerability, log in as a user with the kuiperUser role. Navigate to the 'Configuration > Connection' page and add a new configuration key. Intercept the request and inject a cross-site scripting payload into the 'confKey' parameter. Once the key is saved, authorize as an admin user and delete the connection. The injected payload will execute in the admin's browser.
Remediation
Users are advised to update to LF Edge eKuiper version 2.1.0 or later.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
1.4impact
5.4exploitability
6.0remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.