LF Edge eKuiper Cross-Site Scripting Vulnerability in Rule Management

A stored cross-site scripting vulnerability has been identified in LF Edge eKuiper versions prior to 2.0.8. This issue allows users with the kuiperUser role to inject malicious scripts into the rule 'id' parameter. When an admin user accesses the service and modifies the rule (such as updating, running, stopping, or deleting it), the injected script is executed in the admin's browser. The vulnerability arises because the application does not properly sanitize user input before displaying it, enabling the execution of malicious scripts.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the application.

Reproduction

To reproduce this vulnerability, a user with the kuiperUser role can create a rule with an 'id' that includes a cross-site scripting payload, such as a script tag or an iframe. Once the rule is saved, an admin user can trigger the payload by performing any action that modifies the rule, such as updating or deleting it.

Remediation

Users can upgrade to LF Edge eKuiper version 2.0.8 or later, where this vulnerability has been patched.