Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities by uptime-kuma_project
CVE-2023-36822 (GCVE-0-2023-36822)
Vulnerability from nvd – Published: 2023-07-05 21:18 – Updated: 2024-10-24 18:11
VLAI
Title
Uptime Kuma authenticated path traversal via plugin repository name may lead to unavailability or data loss
Summary
Uptime Kuma, a self-hosted monitoring tool, has a path traversal vulnerability in versions prior to 1.22.1. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. Before a plugin is downloaded, the plugin installation directory is checked for existence. If it exists, it's removed before the plugin installation. Because the plugin is not validated against the official list of plugins or sanitized, the check for existence and the removal of the plugin installation directory are prone to path traversal. This vulnerability allows an authenticated attacker to delete files from the server Uptime Kuma is running on. Depending on which files are deleted, Uptime Kuma or the whole system may become unavailable due to data loss.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/louislam/uptime-kuma/security/… | x_refsource_CONFIRM |
| https://github.com/louislam/uptime-kuma/pull/3346 | x_refsource_MISC |
| https://github.com/louislam/uptime-kuma/blob/de74… | x_refsource_MISC |
| https://github.com/louislam/uptime-kuma/releases/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| louislam | uptime-kuma |
Affected:
< 1.22.1
|
|
| uptime-kuma_project | uptime-kuma |
Affected:
0 , < 1.22.1
(custom)
cpe:2.3:a:uptime-kuma_project:uptime-kuma:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.629Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-vr8x-74pm-6vj7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-vr8x-74pm-6vj7"
},
{
"name": "https://github.com/louislam/uptime-kuma/pull/3346",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/pull/3346"
},
{
"name": "https://github.com/louislam/uptime-kuma/blob/de74efb2e6601dcbcfed32cddefc4078a80fcb0b/server/plugins-manager.js#L75-L80",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/blob/de74efb2e6601dcbcfed32cddefc4078a80fcb0b/server/plugins-manager.js#L75-L80"
},
{
"name": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:uptime-kuma_project:uptime-kuma:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "uptime-kuma",
"vendor": "uptime-kuma_project",
"versions": [
{
"lessThan": "1.22.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36822",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T17:58:55.479147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T18:11:44.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uptime-kuma",
"vendor": "louislam",
"versions": [
{
"status": "affected",
"version": "\u003c 1.22.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uptime Kuma, a self-hosted monitoring tool, has a path traversal vulnerability in versions prior to 1.22.1. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. Before a plugin is downloaded, the plugin installation directory is checked for existence. If it exists, it\u0027s removed before the plugin installation. Because the plugin is not validated against the official list of plugins or sanitized, the check for existence and the removal of the plugin installation directory are prone to path traversal. This vulnerability allows an authenticated attacker to delete files from the server Uptime Kuma is running on. Depending on which files are deleted, Uptime Kuma or the whole system may become unavailable due to data loss.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-05T21:18:09.160Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-vr8x-74pm-6vj7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-vr8x-74pm-6vj7"
},
{
"name": "https://github.com/louislam/uptime-kuma/pull/3346",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/pull/3346"
},
{
"name": "https://github.com/louislam/uptime-kuma/blob/de74efb2e6601dcbcfed32cddefc4078a80fcb0b/server/plugins-manager.js#L75-L80",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/blob/de74efb2e6601dcbcfed32cddefc4078a80fcb0b/server/plugins-manager.js#L75-L80"
},
{
"name": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1"
}
],
"source": {
"advisory": "GHSA-vr8x-74pm-6vj7",
"discovery": "UNKNOWN"
},
"title": "Uptime Kuma authenticated path traversal via plugin repository name may lead to unavailability or data loss"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36822",
"datePublished": "2023-07-05T21:18:09.160Z",
"dateReserved": "2023-06-27T15:43:18.386Z",
"dateUpdated": "2024-10-24T18:11:44.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36821 (GCVE-0-2023-36821)
Vulnerability from nvd – Published: 2023-07-05 21:14 – Updated: 2024-10-18 19:20
VLAI
Title
Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation
Summary
Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. After downloading a plugin, it's installed by calling `npm install` in the installation directory of the plugin. Because the plugin is not validated against the official list of plugins or installed with `npm install --ignore-scripts`, a maliciously crafted plugin taking advantage of npm scripts can gain remote code execution. Version 1.22.1 contains a patch for this issue.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/louislam/uptime-kuma/security/… | x_refsource_CONFIRM |
| https://github.com/louislam/uptime-kuma/pull/3346 | x_refsource_MISC |
| https://github.com/louislam/uptime-kuma/blob/8c60… | x_refsource_MISC |
| https://github.com/louislam/uptime-kuma/releases/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| louislam | uptime-kuma |
Affected:
< 1.22.1
|
|
| uptime-kuma_project | uptime-kuma |
Affected:
0 , < 1.22.1
(custom)
cpe:2.3:a:uptime-kuma_project:uptime-kuma:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-7grx-f945-mj96",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-7grx-f945-mj96"
},
{
"name": "https://github.com/louislam/uptime-kuma/pull/3346",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/pull/3346"
},
{
"name": "https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216"
},
{
"name": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:uptime-kuma_project:uptime-kuma:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "uptime-kuma",
"vendor": "uptime-kuma_project",
"versions": [
{
"lessThan": "1.22.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36821",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-18T19:00:38.368239Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T19:20:42.222Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uptime-kuma",
"vendor": "louislam",
"versions": [
{
"status": "affected",
"version": "\u003c 1.22.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. After downloading a plugin, it\u0027s installed by calling `npm install` in the installation directory of the plugin. Because the plugin is not validated against the official list of plugins or installed with `npm install --ignore-scripts`, a maliciously crafted plugin taking advantage of npm scripts can gain remote code execution. Version 1.22.1 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-05T21:14:44.234Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-7grx-f945-mj96",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-7grx-f945-mj96"
},
{
"name": "https://github.com/louislam/uptime-kuma/pull/3346",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/pull/3346"
},
{
"name": "https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216"
},
{
"name": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1"
}
],
"source": {
"advisory": "GHSA-7grx-f945-mj96",
"discovery": "UNKNOWN"
},
"title": "Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36821",
"datePublished": "2023-07-05T21:14:44.234Z",
"dateReserved": "2023-06-27T15:43:18.386Z",
"dateUpdated": "2024-10-18T19:20:42.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25811 (GCVE-0-2023-25811)
Vulnerability from nvd – Published: 2023-02-21 20:45 – Updated: 2025-03-10 21:07
VLAI
Title
Persistent Cross site scripting (XSS) in Uptime Kuma
Summary
Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma `name` parameter allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/louislam/uptime-kuma/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| louislam | uptime-kuma |
Affected:
< 1.20.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:32:12.464Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-553g-fcpf-m3wp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-553g-fcpf-m3wp"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25811",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:00:07.544551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:07:35.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uptime-kuma",
"vendor": "louislam",
"versions": [
{
"status": "affected",
"version": "\u003c 1.20.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma `name` parameter allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-21T20:45:39.863Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-553g-fcpf-m3wp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-553g-fcpf-m3wp"
}
],
"source": {
"advisory": "GHSA-553g-fcpf-m3wp",
"discovery": "UNKNOWN"
},
"title": "Persistent Cross site scripting (XSS) in Uptime Kuma"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25811",
"datePublished": "2023-02-21T20:45:39.863Z",
"dateReserved": "2023-02-15T16:34:48.773Z",
"dateUpdated": "2025-03-10T21:07:35.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25810 (GCVE-0-2023-25810)
Vulnerability from nvd – Published: 2023-02-21 20:45 – Updated: 2025-03-10 21:07
VLAI
Title
Persistent Cross site scripting (XSS) through description in status page in Uptime Kuma
Summary
Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status page allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/louislam/uptime-kuma/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| louislam | uptime-kuma |
Affected:
< 1.20.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:32:12.731Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-wh8j-xr66-f296",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-wh8j-xr66-f296"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:57:12.669268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:07:41.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uptime-kuma",
"vendor": "louislam",
"versions": [
{
"status": "affected",
"version": "\u003c 1.20.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status page allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-21T20:45:38.072Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-wh8j-xr66-f296",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-wh8j-xr66-f296"
}
],
"source": {
"advisory": "GHSA-wh8j-xr66-f296",
"discovery": "UNKNOWN"
},
"title": "Persistent Cross site scripting (XSS) through description in status page in Uptime Kuma"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25810",
"datePublished": "2023-02-21T20:45:38.072Z",
"dateReserved": "2023-02-15T16:34:48.772Z",
"dateUpdated": "2025-03-10T21:07:41.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36822 (GCVE-0-2023-36822)
Vulnerability from cvelistv5 – Published: 2023-07-05 21:18 – Updated: 2024-10-24 18:11
VLAI
Title
Uptime Kuma authenticated path traversal via plugin repository name may lead to unavailability or data loss
Summary
Uptime Kuma, a self-hosted monitoring tool, has a path traversal vulnerability in versions prior to 1.22.1. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. Before a plugin is downloaded, the plugin installation directory is checked for existence. If it exists, it's removed before the plugin installation. Because the plugin is not validated against the official list of plugins or sanitized, the check for existence and the removal of the plugin installation directory are prone to path traversal. This vulnerability allows an authenticated attacker to delete files from the server Uptime Kuma is running on. Depending on which files are deleted, Uptime Kuma or the whole system may become unavailable due to data loss.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/louislam/uptime-kuma/security/… | x_refsource_CONFIRM |
| https://github.com/louislam/uptime-kuma/pull/3346 | x_refsource_MISC |
| https://github.com/louislam/uptime-kuma/blob/de74… | x_refsource_MISC |
| https://github.com/louislam/uptime-kuma/releases/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| louislam | uptime-kuma |
Affected:
< 1.22.1
|
|
| uptime-kuma_project | uptime-kuma |
Affected:
0 , < 1.22.1
(custom)
cpe:2.3:a:uptime-kuma_project:uptime-kuma:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.629Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-vr8x-74pm-6vj7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-vr8x-74pm-6vj7"
},
{
"name": "https://github.com/louislam/uptime-kuma/pull/3346",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/pull/3346"
},
{
"name": "https://github.com/louislam/uptime-kuma/blob/de74efb2e6601dcbcfed32cddefc4078a80fcb0b/server/plugins-manager.js#L75-L80",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/blob/de74efb2e6601dcbcfed32cddefc4078a80fcb0b/server/plugins-manager.js#L75-L80"
},
{
"name": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:uptime-kuma_project:uptime-kuma:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "uptime-kuma",
"vendor": "uptime-kuma_project",
"versions": [
{
"lessThan": "1.22.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36822",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T17:58:55.479147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T18:11:44.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uptime-kuma",
"vendor": "louislam",
"versions": [
{
"status": "affected",
"version": "\u003c 1.22.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uptime Kuma, a self-hosted monitoring tool, has a path traversal vulnerability in versions prior to 1.22.1. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. Before a plugin is downloaded, the plugin installation directory is checked for existence. If it exists, it\u0027s removed before the plugin installation. Because the plugin is not validated against the official list of plugins or sanitized, the check for existence and the removal of the plugin installation directory are prone to path traversal. This vulnerability allows an authenticated attacker to delete files from the server Uptime Kuma is running on. Depending on which files are deleted, Uptime Kuma or the whole system may become unavailable due to data loss.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-05T21:18:09.160Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-vr8x-74pm-6vj7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-vr8x-74pm-6vj7"
},
{
"name": "https://github.com/louislam/uptime-kuma/pull/3346",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/pull/3346"
},
{
"name": "https://github.com/louislam/uptime-kuma/blob/de74efb2e6601dcbcfed32cddefc4078a80fcb0b/server/plugins-manager.js#L75-L80",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/blob/de74efb2e6601dcbcfed32cddefc4078a80fcb0b/server/plugins-manager.js#L75-L80"
},
{
"name": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1"
}
],
"source": {
"advisory": "GHSA-vr8x-74pm-6vj7",
"discovery": "UNKNOWN"
},
"title": "Uptime Kuma authenticated path traversal via plugin repository name may lead to unavailability or data loss"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36822",
"datePublished": "2023-07-05T21:18:09.160Z",
"dateReserved": "2023-06-27T15:43:18.386Z",
"dateUpdated": "2024-10-24T18:11:44.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36821 (GCVE-0-2023-36821)
Vulnerability from cvelistv5 – Published: 2023-07-05 21:14 – Updated: 2024-10-18 19:20
VLAI
Title
Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation
Summary
Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. After downloading a plugin, it's installed by calling `npm install` in the installation directory of the plugin. Because the plugin is not validated against the official list of plugins or installed with `npm install --ignore-scripts`, a maliciously crafted plugin taking advantage of npm scripts can gain remote code execution. Version 1.22.1 contains a patch for this issue.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/louislam/uptime-kuma/security/… | x_refsource_CONFIRM |
| https://github.com/louislam/uptime-kuma/pull/3346 | x_refsource_MISC |
| https://github.com/louislam/uptime-kuma/blob/8c60… | x_refsource_MISC |
| https://github.com/louislam/uptime-kuma/releases/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| louislam | uptime-kuma |
Affected:
< 1.22.1
|
|
| uptime-kuma_project | uptime-kuma |
Affected:
0 , < 1.22.1
(custom)
cpe:2.3:a:uptime-kuma_project:uptime-kuma:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-7grx-f945-mj96",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-7grx-f945-mj96"
},
{
"name": "https://github.com/louislam/uptime-kuma/pull/3346",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/pull/3346"
},
{
"name": "https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216"
},
{
"name": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:uptime-kuma_project:uptime-kuma:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "uptime-kuma",
"vendor": "uptime-kuma_project",
"versions": [
{
"lessThan": "1.22.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36821",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-18T19:00:38.368239Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T19:20:42.222Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uptime-kuma",
"vendor": "louislam",
"versions": [
{
"status": "affected",
"version": "\u003c 1.22.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. After downloading a plugin, it\u0027s installed by calling `npm install` in the installation directory of the plugin. Because the plugin is not validated against the official list of plugins or installed with `npm install --ignore-scripts`, a maliciously crafted plugin taking advantage of npm scripts can gain remote code execution. Version 1.22.1 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-05T21:14:44.234Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-7grx-f945-mj96",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-7grx-f945-mj96"
},
{
"name": "https://github.com/louislam/uptime-kuma/pull/3346",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/pull/3346"
},
{
"name": "https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216"
},
{
"name": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1"
}
],
"source": {
"advisory": "GHSA-7grx-f945-mj96",
"discovery": "UNKNOWN"
},
"title": "Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36821",
"datePublished": "2023-07-05T21:14:44.234Z",
"dateReserved": "2023-06-27T15:43:18.386Z",
"dateUpdated": "2024-10-18T19:20:42.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25811 (GCVE-0-2023-25811)
Vulnerability from cvelistv5 – Published: 2023-02-21 20:45 – Updated: 2025-03-10 21:07
VLAI
Title
Persistent Cross site scripting (XSS) in Uptime Kuma
Summary
Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma `name` parameter allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/louislam/uptime-kuma/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| louislam | uptime-kuma |
Affected:
< 1.20.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:32:12.464Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-553g-fcpf-m3wp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-553g-fcpf-m3wp"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25811",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:00:07.544551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:07:35.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uptime-kuma",
"vendor": "louislam",
"versions": [
{
"status": "affected",
"version": "\u003c 1.20.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma `name` parameter allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-21T20:45:39.863Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-553g-fcpf-m3wp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-553g-fcpf-m3wp"
}
],
"source": {
"advisory": "GHSA-553g-fcpf-m3wp",
"discovery": "UNKNOWN"
},
"title": "Persistent Cross site scripting (XSS) in Uptime Kuma"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25811",
"datePublished": "2023-02-21T20:45:39.863Z",
"dateReserved": "2023-02-15T16:34:48.773Z",
"dateUpdated": "2025-03-10T21:07:35.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25810 (GCVE-0-2023-25810)
Vulnerability from cvelistv5 – Published: 2023-02-21 20:45 – Updated: 2025-03-10 21:07
VLAI
Title
Persistent Cross site scripting (XSS) through description in status page in Uptime Kuma
Summary
Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status page allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/louislam/uptime-kuma/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| louislam | uptime-kuma |
Affected:
< 1.20.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:32:12.731Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-wh8j-xr66-f296",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-wh8j-xr66-f296"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:57:12.669268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:07:41.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uptime-kuma",
"vendor": "louislam",
"versions": [
{
"status": "affected",
"version": "\u003c 1.20.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status page allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-21T20:45:38.072Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-wh8j-xr66-f296",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-wh8j-xr66-f296"
}
],
"source": {
"advisory": "GHSA-wh8j-xr66-f296",
"discovery": "UNKNOWN"
},
"title": "Persistent Cross site scripting (XSS) through description in status page in Uptime Kuma"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25810",
"datePublished": "2023-02-21T20:45:38.072Z",
"dateReserved": "2023-02-15T16:34:48.772Z",
"dateUpdated": "2025-03-10T21:07:41.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}