CVE-2024-26140 – com.yetanalytics:lrs

Package

Manager: maven
Name: com.yetanalytics:lrs
Vulnerable Version: >=0 <1.2.17

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00166 pctl0.38147

Details

Cross-site Scripting Vulnerability in Statement Browser ### Impact A maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. ### Patches The problem is patched in version 1.2.17 of the LRS library and [version 0.7.5 of SQL LRS](https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5). ### Workarounds No workarounds exist, we recommend upgrading to version 1.2.17 of the library or version 0.7.5 of SQL LRS immediately. ### References * [LRS Tag](https://github.com/yetanalytics/lrs/releases/tag/v1.2.17) * [LRS lib on Clojars](https://clojars.org/com.yetanalytics/lrs/versions/1.2.17) * [SQL LRS 0.7.5 Release](https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5)

Metadata

Created: 2024-02-21T00:24:56Z
Modified: 2024-02-21T00:34:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-7rw2-3hhp-rc46/GHSA-7rw2-3hhp-rc46.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-7rw2-3hhp-rc46
Finding: F008
Auto approve: 1