Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure
Vulnerability Description
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.
CVSS Information
N/A
Vulnerability Type
授权机制缺失
Vulnerability Title
OneUptime 安全漏洞
Vulnerability Description
OneUptime是OneUptime开源的一个全面的解决方案。用于监控和管理您的在线服务。 OneUptime 10.0.42之前版本存在安全漏洞,该漏洞源于多个通知API端点未注册身份验证中间件,结合公共状态页面API的projectId泄露,可能导致未经身份验证的攻击者购买电话号码并删除所有现有警报号码。
CVSS Information
N/A
Vulnerability Type
N/A