Summary
Uptime Kuma status page allows persistent XSS.
PoC
- Run Uptime Kuma with version 1.19.2
- Create a new status page.
- Edit a status page and enter the following payload into "description":
"><script>alert('XSS in description discovered by Manuel')</script>
- Press "Save" --> The payload is executed.
- The payload is also executed when you select the this status page.
Impact
https://cwe.mitre.org/data/definitions/79.html
Screenshots
![Screenshot from 2022-12-28 23-40-04](https://user-images.githubusercontent.com/47991713/209881599-f0f15d38-98de-4a56-9f6a-f07bb9d76505.png)
![Screenshot from 2022-12-28 23-40-18](https://user-images.githubusercontent.com/47991713/209881596-43617f52-02db-45d4-967c-720d4ba91ab6.png)
Summary
Uptime Kuma status page allows persistent XSS.
PoC
"><script>alert('XSS in description discovered by Manuel')</script>
Impact
https://cwe.mitre.org/data/definitions/79.html
Screenshots