CVE-2023-44400 Uptime Kuma has Persistentent User Sessions

2023-10-0915:15:07

CWE-384

GitHub_M

www.cve.org

uptime kuma

cve-2023-44400

persistent user sessions

monitoring tool

patch

security issue

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user’s device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3 has a patch for the issue.

CNA Affected

[
  {
    "vendor": "louislam",
    "product": "uptime-kuma",
    "versions": [
      {
        "version": "< 1.23.3",
        "status": "affected"
      }
    ]
  }
]