Headline

CVE-2023-25811: Persistent XSS through "new status page --> name"

Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma name parameter allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability.

2 years ago

CVE

Open in Source

#xss #vulnerability #git

- Actions
  
  Automate any workflow
- Packages
  
  Host and manage packages
- Security
  
  Find and fix vulnerabilities
- Codespaces
  
  Instant dev environments
- Copilot
  
  Write better code with AI
- Code review
  
  Manage code changes
- Issues
  
  Plan and track work
- Discussions
  
  Collaborate outside of code

*   Explore
*   All features
*   Documentation
*   GitHub Skills
*   Blog

- For
- Enterprise
- Teams
- Startups
- Education
- By Solution
- CI/CD & Automation
- DevOps
- DevSecOps
- Case Studies
- Customer Stories
- Resources
- GitHub Sponsors
  
  Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

*   Repositories
*   Topics
*   Trending
*   Collections

Pricing
Notifications
Fork 2.5k
Code
Issues 741
Pull requests 84
Actions
Projects 1
Wiki
Security
Insights

Moderate

louislam published GHSA-553g-fcpf-m3wp

Feb 13, 2023

Package

No package listed

Affected versions

<= 1.19.6

Description

Summary

Uptime Kuma status page allows persistent XSS.

PoC

Run Uptime Kuma with version 1.19.2
Create a new status page with the following name: "><script>alert(‘XSS discovered by Manuel’)</script>
Press “Next” --> The payload is executed.
The payload is also executed when you select the new generated status page.

Impact

https://cwe.mitre.org/data/definitions/79.html

Screenshots

Severity

CVSS base metrics

User interaction

Required

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

Weaknesses