CVE-2024-52290: 
vulnerability analysis and mitigation

LF Edge eKuiper, a lightweight IoT data analytics and stream processing engine, was found to contain a stored Cross-Site Scripting (XSS) vulnerability in versions prior to 2.1.0. The vulnerability allows users with service modification rights (e.g., kuiperUser role) to inject malicious XSS payloads into the Connection Configuration key 'Name' ('confKey') parameter (GitHub Advisory, Wiz).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N. The attack vector is network-based, requires low attack complexity, low privileges, and user interaction. The scope is unchanged, with high impact on confidentiality, low impact on integrity, and no impact on availability (GitHub Advisory).

When exploited, the vulnerability allows attackers to execute malicious scripts in the context of other users' browsers when they attempt to delete the compromised configuration key. This can lead to unauthorized access to sensitive information, potential session hijacking, and the possibility of malware distribution, affecting user data privacy and application integrity (GitHub Advisory).

The vulnerability has been fixed in LF Edge eKuiper version 2.1.0. All users are advised to upgrade to this version or later, where such malicious parameters are blocked from being processed (GitHub Advisory).