OneUptime Privilege Escalation Vulnerability via Login Response Manipulation
Vulnerability
A privilege escalation vulnerability has been identified in OneUptime versions prior to 8.0.5567. The issue arises during the login process, where the server response includes a parameter called 'isMasterAdmin'. By intercepting and modifying this parameter from false to true, users can gain access to the admin dashboard. However, without the necessary permissions, they may be unable to view or interact with the data. This vulnerability has been patched in version 8.0.5567.
Impact
Exploitation of this vulnerability allows unauthorized users to access the admin dashboard, potentially leading to unauthorized actions or visibility of sensitive data, depending on the user's existing permissions.
Reproduction
To reproduce this vulnerability, log into OneUptime and intercept the server response. Modify the 'isMasterAdmin' parameter value from false to true. After sending the modified response, access the admin dashboard.
Remediation
Users can update to OneUptime version 8.0.5567 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.