uptime-kuma@2.0.0-dev.0 vulnerabilities

latest version

2.0.0-dev.0
first published

9 months ago
latest version published

9 months ago
View uptime-kuma package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the uptime-kuma package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Session Fixation uptime-kuma is a Affected versions of this package are vulnerable to Session Fixation due to improper session management after a password change. An attacker can maintain access to an account without needing to re-authenticate by using an existing session that should have been invalidated. Notes: This is only exploitable if the attacker has access to an active session before the password change. Sessions are only deleted on the client side after a user loggs out, meaning a local attacker could reuse said token with deep system access over the browser How to fix Session Fixation? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
H OS Command Injection uptime-kuma is a Affected versions of this package are vulnerable to OS Command Injection due to improper validation of `hostname` parameter in the `runTailscalePing` method. An authenticated user can execute arbitrary command on the server. Note: When using Uptime Kuma inside a container, the `TailScale Ping` type is not visible. We can fake this information by intercepting WebSocket messages and set the `isContainer` option to false. How to fix OS Command Injection? A fix was pushed into the `master` branch but not yet published.	>=2.0.0-dev.0

Session Fixation

uptime-kuma is a

Affected versions of this package are vulnerable to Session Fixation due to improper session management after a password change. An attacker can maintain access to an account without needing to re-authenticate by using an existing session that should have been invalidated.

Notes:

This is only exploitable if the attacker has access to an active session before the password change.
Sessions are only deleted on the client side after a user loggs out, meaning a local attacker could reuse said token with deep system access over the browser

How to fix Session Fixation?

A fix was pushed into the master branch but not yet published.

>=0.0.0

OS Command Injection

uptime-kuma is a

Affected versions of this package are vulnerable to OS Command Injection due to improper validation of hostname parameter in the runTailscalePing method. An authenticated user can execute arbitrary command on the server.

Note: When using Uptime Kuma inside a container, the TailScale Ping type is not visible. We can fake this information by intercepting WebSocket messages and set the isContainer option to false.

How to fix OS Command Injection?

A fix was pushed into the master branch but not yet published.

>=2.0.0-dev.0

Go back to all versions of this package

uptime-kuma@2.0.0-dev.0 vulnerabilities

latest version

first published

latest version published

Direct Vulnerabilities