SCA: security update for uptime-kuma (GHSA-88j4-pcx8-q4q3)

high Tenable Cloud Security Plugin ID 412545

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, when a user changes
their login password in Uptime Kuma, a previously logged-in user retains access without being logged out.
This behavior persists consistently, even after system restarts or browser restarts. This vulnerability
allows unauthorized access to user accounts, compromising the security of sensitive information. The same
vulnerability was partially fixed in CVE-2023-44400, but logging existing users out of their accounts was
forgotten. To mitigate the risks associated with this vulnerability, the maintainers made the server emit
a `refresh` event (clients handle this by reloading) and then disconnecting all clients except the one
initiating the password change. It is recommended to update Uptime Kuma to version 1.23.9.
(CVE-2023-49804)

Plugin Details

Severity: High

ID: 412545

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-49804

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/12/2023

Vulnerability Publication Date: 12/11/2023

Reference Information

CVE: CVE-2023-49804

cwe: CWE-384

Detections

Analytics