CVE-2023-44400

Name of the Vulnerable Software and Affected Versions Uptime Kuma versions prior to 1.23.3

Description The issue allows attackers with access to a user's device to gain persistent account access due to missing verification of Session Tokens after password changes and/or elapsed inactivity periods. This is caused by design flaws in the JWT tokens set by uptime-kuma for users after successful authentication. The tokens are stored in sessionStorage or localStorage and remain valid without any time limitation, even after long periods of inactivity, increasing the risk of session hijacking. Additionally, previously issued tokens remain valid forever if a user changes their password, and sessions are only deleted on the client side after a user logs out, allowing a local attacker to reuse the token. This poses a high security risk, as user cookies can remain valid even after changing passwords or being inactive.

Recommendations For versions prior to 1.23.3, update to version 1.23.3 or later to patch the issue. As a temporary workaround, consider logging out of all sessions after changing passwords and restricting access to sensitive areas of the application to minimize the risk of exploitation. Avoid using the Remember Me feature until the issue is resolved, and restrict access to the sessionStorage and localStorage to prevent unauthorized access to JWT tokens.