CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-36822 – Uptime Kuma authenticated path traversal via plugin repository name may lead to unavailability or data loss
https://notcve.org/view.php?id=CVE-2023-36822
Uptime Kuma, a self-hosted monitoring tool, has a path traversal vulnerability in versions prior to 1.22.1. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. Before a plugin is downloaded, the plugin installation directory is checked for existence. If it exists, it's removed before the plugin installation. • https://github.com/louislam/uptime-kuma/blob/de74efb2e6601dcbcfed32cddefc4078a80fcb0b/server/plugins-manager.js#L75-L80 https://github.com/louislam/uptime-kuma/pull/3346 https://github.com/louislam/uptime-kuma/releases/tag/1.22.1 https://github.com/louislam/uptime-kuma/security/advisories/GHSA-vr8x-74pm-6vj7 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-36821 – Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation
https://notcve.org/view.php?id=CVE-2023-36821
Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. After downloading a plugin, it's installed by calling `npm install` in the installation directory of the plugin. Because the plugin is not validated against the official list of plugins or installed with `npm install --ignore-scripts`, a maliciously crafted plugin taking advantage of npm scripts can gain remote code execution. • https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216 https://github.com/louislam/uptime-kuma/pull/3346 https://github.com/louislam/uptime-kuma/releases/tag/1.22.1 https://github.com/louislam/uptime-kuma/security/advisories/GHSA-7grx-f945-mj96 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26777 – Uptime Kuma 1.19.6 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2023-26777
Cross Site Scripting vulnerability found in : louislam Uptime Kuma v.1.19.6 and before allows a remote attacker to execute arbitrary commands via the description, title, footer, and incident creation parameter of the status_page.js endpoint. Uptime Kuma versions 1.19.6 and below suffer from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/171699/Uptime-Kuma-1.19.6-Cross-Site-Scripting.html https://github.com/louislam/uptime-kuma/issues/2186 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25811 – Persistent Cross site scripting (XSS) in Uptime Kuma
https://notcve.org/view.php?id=CVE-2023-25811
Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma `name` parameter allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/louislam/uptime-kuma/security/advisories/GHSA-553g-fcpf-m3wp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25810 – Persistent Cross site scripting (XSS) through description in status page in Uptime Kuma
https://notcve.org/view.php?id=CVE-2023-25810
Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status page allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/louislam/uptime-kuma/security/advisories/GHSA-wh8j-xr66-f296 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •