FKIE_CVE-2024-26140

Vulnerability from fkie_nvd - Published: 2024-02-20 22:15 - Updated: 2025-02-05 22:34
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist.
References
security-advisories@github.comhttps://clojars.org/com.yetanalytics/lrs/versions/1.2.17Product, Release Notes
security-advisories@github.comhttps://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0621Patch
security-advisories@github.comhttps://github.com/yetanalytics/lrs/releases/tag/v1.2.17Release Notes
security-advisories@github.comhttps://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46Vendor Advisory
security-advisories@github.comhttps://github.com/yetanalytics/lrsql/releases/tag/v0.7.5Release Notes
af854a3a-2127-422b-91ae-364da2661108https://clojars.org/com.yetanalytics/lrs/versions/1.2.17Product, Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0621Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/yetanalytics/lrs/releases/tag/v1.2.17Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5Release Notes
Impacted products
Vendor Product Version
yetanalytics lrs *
yetanalytics sql_lrs *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:yetanalytics:lrs:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CA215B85-84E9-4032-A0B1-BEA4B6F27F5D",
              "versionEndExcluding": "1.2.17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:yetanalytics:sql_lrs:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB697355-88AA-48FC-A35B-FCABBB7B16DA",
              "versionEndExcluding": "0.7.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist."
    },
    {
      "lang": "es",
      "value": "com.yetanalytics/lrs es la librer\u00eda LRS principal de Yet Analytics. Antes de la versi\u00f3n 1.2.17 de la librer\u00eda LRS y la versi\u00f3n 0.7.5 de SQL LRS, se pod\u00eda utilizar una declaraci\u00f3n xAPI creada con fines malintencionados para realizar una inyecci\u00f3n de script u otras etiquetas en el navegador de declaraciones LRS. El problema se solucion\u00f3 en la versi\u00f3n 1.2.17 de la librer\u00eda LRS y en la versi\u00f3n 0.7.5 de SQL LRS. No existen workarounds conocidas."
    }
  ],
  "id": "CVE-2024-26140",
  "lastModified": "2025-02-05T22:34:32.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 4.6,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-02-20T22:15:08.950",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://clojars.org/com.yetanalytics/lrs/versions/1.2.17"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0621"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/yetanalytics/lrs/releases/tag/v1.2.17"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://clojars.org/com.yetanalytics/lrs/versions/1.2.17"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0621"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/yetanalytics/lrs/releases/tag/v1.2.17"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.