High severityNVD Advisory· Published Mar 24, 2024· Updated Aug 13, 2024
OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation
CVE-2024-29194
Description
OneUptime is a solution for monitoring and managing online services. The vulnerability lies in the improper validation of client-side stored data within the web application. Specifically, the is_master_admin key, stored in the local storage of the browser, can be manipulated by an attacker. By changing this key from false to true, the application grants administrative privileges to the user, without proper server-side validation. This has been patched in 7.0.1815.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@oneuptime/modelnpm | < 7.0.1815 | 7.0.1815 |
@oneuptime/common-servernpm | < 7.0.1815 | 7.0.1815 |
Affected products
3- ghsa-coords2 versions
< 7.0.1815+ 1 more
- (no CPE)range: < 7.0.1815
- (no CPE)range: < 7.0.1815
- OneUptime/oneuptimev5Range: < 7.0.1815
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-246p-xmg8-wmcqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-29194ghsaADVISORY
- github.com/OneUptime/oneuptime/commit/14016d23d834038dd65d3a96cf71af04b556a32cghsax_refsource_MISCWEB
- github.com/OneUptime/oneuptime/security/advisories/GHSA-246p-xmg8-wmcqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.