Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation
Vulnerability Description
Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. After downloading a plugin, it's installed by calling `npm install` in the installation directory of the plugin. Because the plugin is not validated against the official list of plugins or installed with `npm install --ignore-scripts`, a maliciously crafted plugin taking advantage of npm scripts can gain remote code execution. Version 1.22.1 contains a patch for this issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
输入验证不恰当
Vulnerability Title
Uptime Kuma 输入验证错误漏洞
Vulnerability Description
Uptime Kuma是Louis Lam个人开发者的一个易于使用的自托管监控工具。 Uptime Kuma 1.22.1之前版本存在输入验证错误漏洞,该漏洞源于允许经过身份验证的攻击者安装恶意制作的插件,这可能会导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A