CVE-2024-26140 MEDIUM

CVE-2024-26140: com.yetanalytics/lrs has Cross-site Scripting Vulnerability in Statement Browser

Vendor Yetanalytics

Product lrs

Weakness CWE-79 · XSS

Published February 20, 2024

Last update August 1, 2024

View on NVD All CVEs

CVSS base score

4.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist.

Key dates

02Disclosure timeline

February 20, 2024 CVE published

August 1, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-26140

Related vulnerabilities

Identifiers

CVE CVE-2024-26140

CWE CWE-79

CVSS 4.6 / MEDIUM

Affected versions

Vendor Yetanalytics

Product lrs

Affected < 0.7.5

Vendor Yetanalytics

Product lrs

Affected < 1.2.17

CVE-2024-26140: com.yetanalytics/lrs has Cross-site Scripting Vulnerability in Statement Browser

01Description

02Disclosure timeline

03References

04Related CVE