Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03cncyLTNoaHAtcmM0Ns4AA5Z0
Cross-site Scripting Vulnerability in Statement Browser
Impact
A maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser.
Patches
The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS.
Workarounds
No workarounds exist, we recommend upgrading to version 1.2.17 of the library or version 0.7.5 of SQL LRS immediately.
References
Permalink: https://github.com/advisories/GHSA-7rw2-3hhp-rc46JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03cncyLTNoaHAtcmM0Ns4AA5Z0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 2 months ago
Updated: 2 months ago
CVSS Score: 4.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Identifiers: GHSA-7rw2-3hhp-rc46, CVE-2024-26140
References:
- https://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46
- https://nvd.nist.gov/vuln/detail/CVE-2024-26140
- https://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0621
- https://clojars.org/com.yetanalytics/lrs/versions/1.2.17
- https://github.com/yetanalytics/lrs/releases/tag/v1.2.17
- https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5
- https://github.com/advisories/GHSA-7rw2-3hhp-rc46
Blast Radius: 1.0
Affected Packages
maven:com.yetanalytics:lrs
Affected Version Ranges: < 1.2.17Fixed in: 1.2.17