CVE-2023-44400

2023-10-0916:15:10

CWE-384

[email protected]

web.nvd.nist.gov

uptime kuma

cve-2023-44400

monitoring tool

security vulnerability

session tokens

account access

patch

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user’s device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3 has a patch for the issue.

Affected configurations

Vulners

NVD

Node

louislamuptime_kumaRange<1.23.3

CPENameOperatorVersion
uptime.kuma:uptime_kumauptime.kuma uptime kumalt1.23.3

CPE	Name	Operator	Version
uptime.kuma:uptime_kuma	uptime.kuma uptime kuma	lt	1.23.3

CNA Affected

[
  {
    "vendor": "louislam",
    "product": "uptime-kuma",
    "versions": [
      {
        "version": "< 1.23.3",
        "status": "affected"
      }
    ]
  }
]