Summary
Uptime Kuma status page allows persistent XSS.
PoC
- Run Uptime Kuma with version 1.19.2
- Create a new status page.
- Edit a status page and enter the following payload into "description":
"><script>alert('XSS in description discovered by Manuel')</script>
- Press "Save" --> The payload is executed.
- The payload is also executed when you select the this status page.
Impact
https://cwe.mitre.org/data/definitions/79.html
Screenshots
Summary
Uptime Kuma status page allows persistent XSS.
PoC
"><script>alert('XSS in description discovered by Manuel')</script>
Impact
https://cwe.mitre.org/data/definitions/79.html
Screenshots