CVE-2024-29194

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 7.0.1815

Description The issue lies in the improper validation of client-side stored data within the web application. Specifically, the is master admin key, stored in the local storage of the browser, can be manipulated by an attacker. By changing this key from false to true, the application grants administrative privileges to the user, without proper server-side validation. This allows unauthorized access to administrative functionalities and represents a high security risk. An attacker could see the list of users who signed up to OneUptime.

Recommendations For versions prior to 7.0.1815, update to version 7.0.1815 to resolve the issue. As a temporary workaround, consider restricting access to the is master admin key in the local storage to minimize the risk of exploitation.