Unknown · Uptime Kuma · CVE-2023-44400
**Name of the Vulnerable Software and Affected Versions**
Uptime Kuma versions prior to 1.23.3
**Description**
The issue allows attackers with access to a user's device to gain persistent account access due to missing verification of Session Tokens after password changes and/or elapsed inactivity periods. This is caused by design flaws in the JWT tokens set by `uptime-kuma` for users after successful authentication. The tokens are stored in `sessionStorage` or `localStorage` and remain valid without any time limitation, even after long periods of inactivity, increasing the risk of session hijacking. Additionally, previously issued tokens remain valid forever if a user changes their password, and sessions are only deleted on the client side after a user logs out, allowing a local attacker to reuse the token. This poses a high security risk, as user cookies can remain valid even after changing passwords or being inactive.
**Recommendations**
For versions prior to 1.23.3, update to version 1.23.3 or later to patch the issue. As a temporary workaround, consider logging out of all sessions after changing passwords and restricting access to sensitive areas of the application to minimize the risk of exploitation. Avoid using the `Remember Me` feature until the issue is resolved, and restrict access to the `sessionStorage` and `localStorage` to prevent unauthorized access to JWT tokens.