CVE-2023-44400
published 2023-10-09CVE-2023-44400: Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can gain persistent account access. This is…
PriorityP340high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.27%
18.3th percentile
Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3 has a patch for the issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dockge.kuma | dockge | < 1.3.3 | 1.3.3 |
| louislam | uptime-kuma | < 1.23.9 | 1.23.9 |
| louislam | uptime-kuma | >= 0 < 1.23.3 | 1.23.3 |
| uptime.kuma | uptime_kuma | < 1.23.9 | 1.23.9 |
| uptime.kuma | uptime_kuma | < 1.23.3 | 1.23.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Uptime Kuma has Persistentent User Sessions
osv·2023-10-10
CVE-2023-44400 [HIGH] Uptime Kuma has Persistentent User Sessions
Uptime Kuma has Persistentent User Sessions
# Summary
Attackers with access to a users' device can gain persistent account access.
This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity-periods.
# Details
`uptime-kuma` sets JWT tokens for users after successful authentication.
These tokens have the following design flaws:
- After successful login, a JWT token and it is stored in `sessionStorage` or `localStorage`.
Which of the two is decided based on the `Remember Me` button.
The users' token is valid without any time limitation, even after long periods of inactivity.
This increases the risk of session hijacking if, for example, a user forgets to log off and leaves the PC.
- sessions are only deleted on the client side after a user lo
GHSA
Uptime Kuma has Persistentent User Sessions
ghsa·2023-10-10
CVE-2023-44400 [HIGH] CWE-384 Uptime Kuma has Persistentent User Sessions
Uptime Kuma has Persistentent User Sessions
# Summary
Attackers with access to a users' device can gain persistent account access.
This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity-periods.
# Details
`uptime-kuma` sets JWT tokens for users after successful authentication.
These tokens have the following design flaws:
- After successful login, a JWT token and it is stored in `sessionStorage` or `localStorage`.
Which of the two is decided based on the `Remember Me` button.
The users' token is valid without any time limitation, even after long periods of inactivity.
This increases the risk of session hijacking if, for example, a user forgets to log off and leaves the PC.
- sessions are only deleted on the client side after a user lo
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/louislam/uptime-kuma/commit/88afab6571ef7d4d41bb395cdb6ecd3968835a4ahttps://github.com/louislam/uptime-kuma/issues/3481https://github.com/louislam/uptime-kuma/security/advisories/GHSA-g9v2-wqcj-j99ghttps://github.com/louislam/uptime-kuma/commit/88afab6571ef7d4d41bb395cdb6ecd3968835a4ahttps://github.com/louislam/uptime-kuma/issues/3481https://github.com/louislam/uptime-kuma/security/advisories/GHSA-g9v2-wqcj-j99g
2023-10-09
Published