OneUptime Vulnerability: Insecure Client-Side Data Storage
CVE-2024-29194

8.3HIGH

Key Information:

Vendor: Oneuptime
Status: Oneuptime
Vendor: CVE Published:; 24 March 2024

Badges

👾 Exploit Exists

What is CVE-2024-29194?

A vulnerability within the OneUptime web application pertains to improper validation of client-side stored data. The issue centers around the manipulation of the 'is_master_admin' key stored in the browser's local storage. An attacker can alter this key from false to true, granting unauthorized administrative privileges without any proper validation on the server side. This flaw raises significant security concerns as it potentially allows malicious users to exploit elevated access rights. The vulnerability has been addressed in version 7.0.1815.

Affected Version(s)

oneuptime < 7.0.1815

References

https://github.com/OneUptime/oneuptime/security/advisorie...

x_refsource_CONFIRM

https://github.com/OneUptime/oneuptime/commit/14016d23d83...

x_refsource_MISC

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Mar 25, 2024
👾
Exploit known to exist
Mar 25, 2024
Vulnerability published
Mar 24, 2024
Vulnerability Reserved
Mar 18, 2024

CVE-2024-29194 Data

JSON

Oneuptime

Badges

What is CVE-2024-29194?

Affected Version(s)

References

CVSS V3.1

Timeline