CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-36822 – Uptime Kuma authenticated path traversal via plugin repository name may lead to unavailability or data loss
https://notcve.org/view.php?id=CVE-2023-36822
05 Jul 2023 — Uptime Kuma, a self-hosted monitoring tool, has a path traversal vulnerability in versions prior to 1.22.1. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. Before a plugin is downloaded, the plugin installation directory is checked for existence. If it exists, it's removed before the plugin installation. • https://github.com/louislam/uptime-kuma/blob/de74efb2e6601dcbcfed32cddefc4078a80fcb0b/server/plugins-manager.js#L75-L80 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-36821 – Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation
https://notcve.org/view.php?id=CVE-2023-36821
05 Jul 2023 — Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. After downloading a plugin, it's installed by calling `npm install` in the installation directory of the pl... • https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216 • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26777 – Uptime Kuma 1.19.6 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2023-26777
04 Apr 2023 — Cross Site Scripting vulnerability found in : louislam Uptime Kuma v.1.19.6 and before allows a remote attacker to execute arbitrary commands via the description, title, footer, and incident creation parameter of the status_page.js endpoint. Uptime Kuma versions 1.19.6 and below suffer from a cross site scripting vulnerability. • https://packetstorm.news/files/id/171699 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25811 – Persistent Cross site scripting (XSS) in Uptime Kuma
https://notcve.org/view.php?id=CVE-2023-25811
21 Feb 2023 — Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma `name` parameter allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/louislam/uptime-kuma/security/advisories/GHSA-553g-fcpf-m3wp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25810 – Persistent Cross site scripting (XSS) through description in status page in Uptime Kuma
https://notcve.org/view.php?id=CVE-2023-25810
21 Feb 2023 — Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status page allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/louislam/uptime-kuma/security/advisories/GHSA-wh8j-xr66-f296 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •