Headline
CVE-2023-26777: Script tag in Footer Text breaks window.preloadData at Status Page · Issue #2186 · louislam/uptime-kuma
Cross Site Scripting vulnerability found in :ouislam Uptime Kuma v.1.19.6 and before allows a remote attacker to execute arbitrary commands via the description, title, footer, and incident creation parameter of the status_page.js endpoint.
⚠️ Please verify that this bug has NOT been raised before.
- I checked and didn’t find similar issue
🛡️ Security Policy
- I agree to have read this project Security Policy
Description
Script tag in custom footer text breaks window.preloadData and it gets added to page.
Also side effect is that you can load custom JS/XSS there if use this footer text:
“</script><script>alert()</script>”
👟 Reproduction steps
- Edit Status Page
- Footer text: <script></script>
- Save and json is added to top of the page.
- Console error: Uncaught SyntaxError: Invalid or unexpected token
👀 Expected behavior
window.preloadData should escape script to avoid parse error
😓 Actual Behavior
window.preloadData crashes when script tag is in Footer Text.
🐻 Uptime-Kuma Version
1.18.0
💻 Operating System and Arch
Windows 10
🌐 Browser
Edge latest
🐋 Docker Version
No response
🟩 NodeJS Version
No response
📝 Relevant log output
No response
Related news
Uptime Kuma versions 1.19.6 and below suffer from a cross site scripting vulnerability.