CVE-2024-26140
4.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Summary
com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| yetanalytics | lrs | < 0.7.5 | affected |
| yetanalytics | lrs | < 1.2.17 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46
- https://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0621
- https://clojars.org/com.yetanalytics/lrs/versions/1.2.17
- https://github.com/yetanalytics/lrs/releases/tag/v1.2.17
- https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5
References
- https://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46
- https://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0621
- https://clojars.org/com.yetanalytics/lrs/versions/1.2.17
- https://github.com/yetanalytics/lrs/releases/tag/v1.2.17
- https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.