OneUptime: Password Reset Token Logged at INFO Level

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user. This vulnerability is fixed in 10.0.24.

N/A

通过日志文件的信息暴露

OneUptime 日志信息泄露漏洞

OneUptime是OneUptime开源的一个全面的解决方案。用于监控和管理您的在线服务。 OneUptime 10.0.24之前版本存在日志信息泄露漏洞，该漏洞源于密码重置流程会记录包含明文重置令牌的完整URL，可能导致访问日志的攻击者拦截令牌并接管账户。

N/A

N/A