Oneuptime
Monthly
Remote command execution can be achieved by low-privileged authenticated users (ProjectMember role) in OneUptime monitoring platform versions prior to 10.0.35 by exploiting incomplete sandbox restrictions in Synthetic Monitor Playwright script execution. Attackers can traverse the unblocked _browserType and launchServer properties via page.context().browser()._browserType.launchServer() to spawn arbitrary processes on the Probe container or host. A proof-of-concept exploit exists per SSVC framework data, and the vulnerability carries a CVSS score of 9.9 with Critical severity due to scope change and total technical impact.
OneUptime versions prior to 10.0.24 contain a sensitive information exposure vulnerability where the password reset flow logs complete password reset URLs containing plaintext reset tokens at the INFO log level, which is enabled by default in production environments. Any actor with access to application logs-including log aggregation systems, Docker logs, or Kubernetes pod logs-can extract these tokens and perform account takeover on any user. The vulnerability is fixed in version 10.0.24.
Cross-site scripting (XSS) vulnerability in OneUptime monitoring platform versions prior to 10.0.23, where the Markdown viewer component renders Mermaid diagrams with insecure settings that allow arbitrary JavaScript execution. An authenticated attacker with low privileges can inject malicious JavaScript through any markdown field (incident descriptions, status pages, monitor notes), potentially compromising other users' sessions. With an EPSS score of only 0.03% and no KEV listing, this appears to be a theoretical risk with no observed exploitation in the wild.
SQL injection in OneUptime telemetry API before 10.0.23.
OneUptime's resend-verification-code endpoint fails to validate user ownership of WhatsApp records, allowing any authenticated attacker to trigger verification code resends for arbitrary users. Public exploit code exists for this vulnerability, which could enable account enumeration or facilitate phishing attacks against other users. The vulnerability affects the UserWhatsAppAPI and UserWhatsAppService components with no patch currently available.
Unauthenticated path traversal in OneUptime versions before 10.0.21 allows remote attackers to read arbitrary files from the server via the /workflow/docs/:componentName endpoint, which fails to sanitize user input before passing it to file operations. Public exploit code exists for this vulnerability, affecting all users of vulnerable versions without authentication requirements. Upgrade to version 10.0.21 or later to remediate.
OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.
OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.
OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.
OneUptime versions prior to 10.0.19 allow unauthenticated attackers to hijack GitHub App integrations across projects by exploiting insufficient validation in the OAuth callback handler, enabling them to redirect repository access and create code records in arbitrary projects. Public exploit code exists for this vulnerability, and GitHub and OneUptime users remain at risk until patches are applied, as no fixes are currently available for the affected GitHub integration.
OneUptime monitoring platform prior to 10.0.18 allows code injection (CVSS 9.9) enabling RCE through the monitoring configuration.
OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validation is missing, allowing attackers with a captured assertion to replay valid authentication tokens indefinitely and bypass multi-factor authentication. The vulnerability affects authenticated users and requires only low privileges to exploit, with public exploit code already available. No patches are currently available for this high-severity flaw.
OS command injection in OneUptime monitoring platform before 10.0.7. Authenticated users can execute arbitrary commands on the monitoring server. PoC and patch available.
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
OneUptime is a solution for monitoring and managing online services. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Remote command execution can be achieved by low-privileged authenticated users (ProjectMember role) in OneUptime monitoring platform versions prior to 10.0.35 by exploiting incomplete sandbox restrictions in Synthetic Monitor Playwright script execution. Attackers can traverse the unblocked _browserType and launchServer properties via page.context().browser()._browserType.launchServer() to spawn arbitrary processes on the Probe container or host. A proof-of-concept exploit exists per SSVC framework data, and the vulnerability carries a CVSS score of 9.9 with Critical severity due to scope change and total technical impact.
OneUptime versions prior to 10.0.24 contain a sensitive information exposure vulnerability where the password reset flow logs complete password reset URLs containing plaintext reset tokens at the INFO log level, which is enabled by default in production environments. Any actor with access to application logs-including log aggregation systems, Docker logs, or Kubernetes pod logs-can extract these tokens and perform account takeover on any user. The vulnerability is fixed in version 10.0.24.
Cross-site scripting (XSS) vulnerability in OneUptime monitoring platform versions prior to 10.0.23, where the Markdown viewer component renders Mermaid diagrams with insecure settings that allow arbitrary JavaScript execution. An authenticated attacker with low privileges can inject malicious JavaScript through any markdown field (incident descriptions, status pages, monitor notes), potentially compromising other users' sessions. With an EPSS score of only 0.03% and no KEV listing, this appears to be a theoretical risk with no observed exploitation in the wild.
SQL injection in OneUptime telemetry API before 10.0.23.
OneUptime's resend-verification-code endpoint fails to validate user ownership of WhatsApp records, allowing any authenticated attacker to trigger verification code resends for arbitrary users. Public exploit code exists for this vulnerability, which could enable account enumeration or facilitate phishing attacks against other users. The vulnerability affects the UserWhatsAppAPI and UserWhatsAppService components with no patch currently available.
Unauthenticated path traversal in OneUptime versions before 10.0.21 allows remote attackers to read arbitrary files from the server via the /workflow/docs/:componentName endpoint, which fails to sanitize user input before passing it to file operations. Public exploit code exists for this vulnerability, affecting all users of vulnerable versions without authentication requirements. Upgrade to version 10.0.21 or later to remediate.
OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.
OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.
OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.
OneUptime versions prior to 10.0.19 allow unauthenticated attackers to hijack GitHub App integrations across projects by exploiting insufficient validation in the OAuth callback handler, enabling them to redirect repository access and create code records in arbitrary projects. Public exploit code exists for this vulnerability, and GitHub and OneUptime users remain at risk until patches are applied, as no fixes are currently available for the affected GitHub integration.
OneUptime monitoring platform prior to 10.0.18 allows code injection (CVSS 9.9) enabling RCE through the monitoring configuration.
OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validation is missing, allowing attackers with a captured assertion to replay valid authentication tokens indefinitely and bypass multi-factor authentication. The vulnerability affects authenticated users and requires only low privileges to exploit, with public exploit code already available. No patches are currently available for this high-severity flaw.
OS command injection in OneUptime monitoring platform before 10.0.7. Authenticated users can execute arbitrary commands on the monitoring server. PoC and patch available.
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
OneUptime is a solution for monitoring and managing online services. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.