CVE-2023-49276

Name of the Vulnerable Software and Affected Versions Uptime Kuma versions prior to 1.23.7

Description The Google Analytics element in Uptime Kuma is vulnerable to Attribute Injection, leading to Cross-Site-Scripting (XSS) attacks. This occurs because the custom status interface can set an independent Google Analytics ID and the template has not been sanitized. As a result, there is an attribute injection vulnerability that can lead to XSS attacks.

Recommendations For versions prior to 1.23.7, upgrade to release version 1.23.7 or later to address the vulnerability. As a temporary workaround, consider disabling the Google Analytics element in the custom status interface until a patch is available. Restrict access to the custom status interface to minimize the risk of exploitation. Avoid using the Google Analytics ID field in the custom status interface until the issue is resolved.