Headline
Uptime Kuma 1.19.6 Cross Site Scripting
Uptime Kuma versions 1.19.6 and below suffer from a cross site scripting vulnerability.
# Exploit Title: Stored XSS in uptime-kuma <= v1.19.6# CVE: CVE-2023-26777# Exploit Author: Achuth V P (retrymp3)# Date: February 09, 2023# Vendor Homepage: https://github.com/louislam/# Software Link: https://github.com/louislam/uptime-kuma# Tested on: Ubuntu# Version: <= v1.19.6# Exploit Description: Stored Cross Site Scripting vulnerability found in Uptime Kuma v.1.19.6 and before, allows a remote attacker to execute arbitrary javascript code via the description, title, footer, and incident creation parameter of the status status page in the application.Create a status page, while giving the title or the discription give the payload: <script>""</script><script>alert("XSS")</script>If anyone loads the page, the javascript inside the script tag will be executed.Related news
CVE-2023-26777: Script tag in Footer Text breaks window.preloadData at Status Page · Issue #2186 · louislam/uptime-kuma
Cross Site Scripting vulnerability found in :ouislam Uptime Kuma v.1.19.6 and before allows a remote attacker to execute arbitrary commands via the description, title, footer, and incident creation parameter of the status_page.js endpoint.