CVE-2024-26140
Cross-site Scripting Vulnerability in Statement Browser
Description
### Impact A maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. ### Patches The problem is patched in version 1.2.17 of the LRS library and [version 0.7.5 of SQL LRS](https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5). ### Workarounds No workarounds exist, we recommend upgrading to version 1.2.17 of the library or version 0.7.5 of SQL LRS immediately. ### References * [LRS Tag](https://github.com/yetanalytics/lrs/releases/tag/v1.2.17) * [LRS lib on Clojars](https://clojars.org/com.yetanalytics/lrs/versions/1.2.17) * [SQL LRS 0.7.5 Release](https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5)
How to fix CVE-2024-26140
To remediate CVE-2024-26140, upgrade the affected package to a fixed version below.
- —upgrade to 1.2.17 or later
Is CVE-2024-26140 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.2.17
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L |