Moderate severityNVD Advisory· Published Dec 1, 2023· Updated Aug 2, 2024

Attribute Injection leading to XSS(Cross-Site-Scripting) in uptime-kuma

CVE-2023-49276

Description

Uptime Kuma is an open source self-hosted monitoring tool. In affected versions the Google Analytics element in vulnerable to Attribute Injection leading to Cross-Site-Scripting (XSS). Since the custom status interface can set an independent Google Analytics ID and the template has not been sanitized, there is an attribute injection vulnerability here, which can lead to XSS attacks. This vulnerability has been addressed in commit f28dccf4e which is included in release version 1.23.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
uptime-kumanpm	>= 1.20.0, < 1.23.7	1.23.7

Affected products

Louislam/Uptime Kumav5
Range: >= 1.20.0, < 1.23.7

Patches

f28dccf4e11f

Merge pull request from GHSA-v4v2-8h88-65qj

https://github.com/louislam/uptime-kumaLouis LamNov 24, 2023via ghsa

commit

3 files changed · +20 −9

package.json+1 −0 modified

@@ -100,6 +100,7 @@
         "express-static-gzip": "~2.1.7",
         "form-data": "~4.0.0",
         "gamedig": "~4.1.0",
+        "html-escaper": "^3.0.3",
         "http-graceful-shutdown": "~3.1.7",
         "http-proxy-agent": "~5.0.0",
         "https-proxy-agent": "~5.0.1",

package-lock.json+10 −4 modified

@@ -33,6 +33,7 @@
                 "express-static-gzip": "~2.1.7",
                 "form-data": "~4.0.0",
                 "gamedig": "~4.1.0",
+                "html-escaper": "^3.0.3",
                 "http-graceful-shutdown": "~3.1.7",
                 "http-proxy-agent": "~5.0.0",
                 "https-proxy-agent": "~5.0.1",
@@ -10747,10 +10748,9 @@
             "dev": true
         },
         "node_modules/html-escaper": {
-            "version": "2.0.2",
-            "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",
-            "integrity": "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==",
-            "dev": true
+            "version": "3.0.3",
+            "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-3.0.3.tgz",
+            "integrity": "sha512-RuMffC89BOWQoY0WKGpIhn5gX3iI54O6nRA0yC124NYVtzjmFWBIiFd8M0x+ZdX0P9R4lADg1mgP8C7PxGOWuQ=="
         },
         "node_modules/html-tags": {
             "version": "3.3.1",
@@ -11558,6 +11558,12 @@
                 "node": ">=8"
             }
         },
+        "node_modules/istanbul-reports/node_modules/html-escaper": {
+            "version": "2.0.2",
+            "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",
+            "integrity": "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==",
+            "dev": true
+        },
         "node_modules/jackspeak": {
             "version": "2.3.6",
             "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-2.3.6.tgz",

server/google-analytics.js+9 −5 modified

@@ -1,4 +1,5 @@
 const jsesc = require("jsesc");
+const { escape } = require("html-escaper");
 
 /**
  * Returns a string that represents the javascript that is required to insert the Google Analytics scripts
@@ -7,15 +8,18 @@ const jsesc = require("jsesc");
  * @returns {string}
  */
 function getGoogleAnalyticsScript(tagId) {
-    let escapedTagId = jsesc(tagId, { isScriptContext: true });
+    let escapedTagIdJS = jsesc(tagId, { isScriptContext: true });
 
-    if (escapedTagId) {
-        escapedTagId = escapedTagId.trim();
+    if (escapedTagIdJS) {
+        escapedTagIdJS = escapedTagIdJS.trim();
     }
 
+    // Escape the tag ID for use in an HTML attribute.
+    let escapedTagIdHTMLAttribute = escape(tagId);
+
     return `
-        <script async src="https://www.googletagmanager.com/gtag/js?id=${escapedTagId}"></script>
-        <script>window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date());gtag('config', '${escapedTagId}'); </script>
+        <script async src="https://www.googletagmanager.com/gtag/js?id=${escapedTagIdHTMLAttribute}"></script>
+        <script>window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date());gtag('config', '${escapedTagIdJS}'); </script>
     `;
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-v4v2-8h88-65qjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-49276ghsaADVISORY
github.com/louislam/uptime-kuma/commit/f28dccf4e11f041564293e4f407e69ab9ee2277fghsax_refsource_MISCWEB
github.com/louislam/uptime-kuma/security/advisories/GHSA-v4v2-8h88-65qjghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000