CVE-2024-26140: 
Java vulnerability analysis and mitigation

CVE-2024-26140 affects the Yet Analytics Core LRS Library (com.yetanalytics/lrs) prior to version 1.2.17 and SQL LRS prior to version 0.7.5. The vulnerability was disclosed on February 20, 2024, and involves a cross-site scripting (XSS) vulnerability in the LRS Statement Browser component (NVD).

The vulnerability is classified as a cross-site scripting (CWE-79) issue that allows script or tag injection through maliciously crafted xAPI statements in the LRS Statement Browser. The CVSS v3.1 severity ratings vary between sources, with NVD assigning a base score of 6.1 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) and GitHub assigning 4.6 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L) (GitHub Advisory).

When exploited, this vulnerability allows attackers to perform script or other tag injection in the LRS Statement Browser, potentially leading to unauthorized script execution in the context of the user's browser session (GitHub Advisory).

The vulnerability has been patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No workarounds exist, and users are recommended to upgrade to the patched versions immediately (GitHub Advisory, LRS Release).