Name of the Vulnerable Software and Affected Versions Uptime Kuma (affected versions not specified)

Description The issue concerns a command injection vulnerability in Uptime Kuma. Specifically, the runTailscalePing method of the TailscalePing class injects the hostname parameter inside a shell command, allowing for the execution of arbitrary commands on the server. This can be exploited by adding a new monitor of the "Tailscale Ping" type and inserting a command injection payload into the hostname field. The front-end validation for the hostname field can be bypassed by removing the pattern attribute from the input element. An authenticated user can execute arbitrary commands on the server running Uptime Kuma.

Recommendations To resolve the issue, consider modifying the runTailscalePing method to use the spawn method from the child process module, which does not interpret the command as a shell command, similar to other command execution instances in the codebase. Additionally, using the -- sequence between the ping subcommand and the hostname argument can help avoid argument injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.