Uptime Kuma Cross-Site Scripting Vulnerability via Google Analytics Attribute Injection

A cross-site scripting (XSS) vulnerability has been identified in Uptime Kuma versions 1.20.0 through 1.23.6. The issue arises from the Google Analytics element, which is susceptible to attribute injection. The custom status interface allows users to set a unique Google Analytics ID, but the template does not properly sanitize this input. As a result, an attacker can inject malicious attributes that lead to XSS attacks.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, upload the latest Uptime Kuma container and set an account password. Create a new status page and edit it to include a Google Analytics ID payload that injects a script, such as '123123' followed by a script execution command. Save the changes and return to the interface, where the XSS will be executed.

Remediation

Users are advised to upgrade to Uptime Kuma version 1.23.7 or later.