CVE-2024-26140

com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://clojars.org/com.yetanalytics/lrs/versions/1.2.17	Release Notes
https://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0621	Patch
https://github.com/yetanalytics/lrs/releases/tag/v1.2.17	Release Notes
https://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46	Vendor Advisory
https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5	Release Notes
https://clojars.org/com.yetanalytics/lrs/versions/1.2.17	Product
https://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0621	Patch
https://github.com/yetanalytics/lrs/releases/tag/v1.2.17	Release Notes
https://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46	Vendor Advisory
https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:yetanalytics:lrs::::::::
	cpe:2.3:a:yetanalytics:sql_lrs::::::::

History

No history.

Information

Published : 2024-02-20 22:15

Updated : 2025-02-05 22:34

NVD link : CVE-2024-26140

Mitre link : CVE-2024-26140

CVE.ORG link : CVE-2024-26140

JSON object : View

Products Affected

yetanalytics

lrs
sql_lrs

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-26140", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-02-20T22:15:08.950", "references": [{"url": "https://clojars.org/com.yetanalytics/lrs/versions/1.2.17", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0621", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/yetanalytics/lrs/releases/tag/v1.2.17", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://clojars.org/com.yetanalytics/lrs/versions/1.2.17", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0621", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/yetanalytics/lrs/releases/tag/v1.2.17", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist."}, {"lang": "es", "value": "com.yetanalytics/lrs es la librer\u00eda LRS principal de Yet Analytics. Antes de la versi\u00f3n 1.2.17 de la librer\u00eda LRS y la versi\u00f3n 0.7.5 de SQL LRS, se pod\u00eda utilizar una declaraci\u00f3n xAPI creada con fines malintencionados para realizar una inyecci\u00f3n de script u otras etiquetas en el navegador de declaraciones LRS. El problema se solucion\u00f3 en la versi\u00f3n 1.2.17 de la librer\u00eda LRS y en la versi\u00f3n 0.7.5 de SQL LRS. No existen workarounds conocidas."}], "lastModified": "2025-02-05T22:34:32.020", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:yetanalytics:lrs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CA215B85-84E9-4032-A0B1-BEA4B6F27F5D", "versionEndExcluding": "1.2.17"}, {"criteria": "cpe:2.3:a:yetanalytics:sql_lrs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AB697355-88AA-48FC-A35B-FCABBB7B16DA", "versionEndExcluding": "0.7.5"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}