Vulnerability Description
com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Yetanalytics | Lrs | < 1.2.17 |
| Yetanalytics | Sql Lrs | < 0.7.5 |
Related Weaknesses (CWE)
References
- https://clojars.org/com.yetanalytics/lrs/versions/1.2.17ProductRelease Notes
- https://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0Patch
- https://github.com/yetanalytics/lrs/releases/tag/v1.2.17Release Notes
- https://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46Vendor Advisory
- https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5Release Notes
- https://clojars.org/com.yetanalytics/lrs/versions/1.2.17ProductRelease Notes
- https://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0Patch
- https://github.com/yetanalytics/lrs/releases/tag/v1.2.17Release Notes
- https://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46Vendor Advisory
- https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5Release Notes
FAQ
What is CVE-2024-26140?
CVE-2024-26140 is a vulnerability with a CVSS score of 4.6 (MEDIUM). com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform scrip...
How severe is CVE-2024-26140?
CVE-2024-26140 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-26140?
Check the references section above for vendor advisories and patch information. Affected products include: Yetanalytics Lrs, Yetanalytics Sql Lrs.