5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-52812

CVE-2024-52812: LF Edge eKuiper allows Stored XSS in Rules Functionality

Summary

Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.

Details

A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Rule id parameter. Then, after any user with access to this service (e.g. admin) will try make any modifications with the rule (update, run, stop, delete), a payload will act in victim's browser.

The issue appears as the notification to user is made in an insafe way:

https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L681

https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L716

https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L735

https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L794

https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L809

https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L824

Such writing to 'http.ResponseWriter' bypasses HTML escaping that prevents cross-site scripting vulnerabilities.

Because of the some (meybe protection) mechanisms a real exploitation is possible only with limited special characters, but this is enough to construct a strong payload

PoC

Create a rule with id:

<iframe src="javascript:alert`1337`">

Creating a malicious Rule

Just after Rule Submition the Payload shoots:

Running Payload

Then, when another user (e.g. admin) will try to do something with this rule (e.g. start), the payload shoots in his context:

Exploiting the admin

Impact

Stored Cross-site Scripting (XSS) vulnerability

Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-52812

CVE-2024-52812:

5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/lf-edge/ekuiper/v2	go	< 2.0.8	2.0.8
github.com/lf-edge/ekuiper	go	<= 1.14.7

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from multiple handler functions in rest.go that use fmt.Fprintf to write rule IDs directly into HTTP responses without proper HTML escaping. The rule ID parameter is attacker-controlled (as shown in PoC) and gets reflected in admin-facing notifications. Each identified function corresponds to a different rule operation (create/delete/start/stop/etc) that unsafely interpolates the untrusted ID parameter into response bodies using formatting functions that don't perform XSS protections. The direct code references and PoC validation confirm these are the injection points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-52812: LF Edge eKuiper allows Stored XSS in Rules Functionality

Summary

Details

PoC

Impact

CVE-2024-52812:

5.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

5.4

5.4

CVE-2024-52812: LF Edge eKuiper allows Stored XSS in Rules Functionality

Summary

Details

PoC

Impact

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI