CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-36822 – Uptime Kuma authenticated path traversal via plugin repository name may lead to unavailability or data loss
https://notcve.org/view.php?id=CVE-2023-36822
05 Jul 2023 — Uptime Kuma, a self-hosted monitoring tool, has a path traversal vulnerability in versions prior to 1.22.1. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. Before a plugin is downloaded, the plugin installation directory is checked for existence. If it exists, it's removed before the plugin installation. • https://github.com/louislam/uptime-kuma/blob/de74efb2e6601dcbcfed32cddefc4078a80fcb0b/server/plugins-manager.js#L75-L80 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-36821 – Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation
https://notcve.org/view.php?id=CVE-2023-36821
05 Jul 2023 — Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. After downloading a plugin, it's installed by calling `npm install` in the installation directory of the pl... • https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216 • CWE-20: Improper Input Validation •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25811 – Persistent Cross site scripting (XSS) in Uptime Kuma
https://notcve.org/view.php?id=CVE-2023-25811
21 Feb 2023 — Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma `name` parameter allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/louislam/uptime-kuma/security/advisories/GHSA-553g-fcpf-m3wp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25810 – Persistent Cross site scripting (XSS) through description in status page in Uptime Kuma
https://notcve.org/view.php?id=CVE-2023-25810
21 Feb 2023 — Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status page allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/louislam/uptime-kuma/security/advisories/GHSA-wh8j-xr66-f296 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •