OneUptime Unauthenticated Access Vulnerability in Notification API Allowing Service Abuse and Phone Number Purchase

A vulnerability in OneUptime's Notification API prior to version 10.0.42 allows unauthenticated access to several endpoints related to phone number management and notification testing. This oversight enables abuse of SMS, call, email, and WhatsApp services, as well as unauthorized purchases of phone numbers using the victim organization's Twilio or email credentials. The affected endpoints are publicly accessible through the '/notification' route.

Impact

Exploitation of this vulnerability could lead to unauthorized purchases of phone numbers via the victim's Twilio account, causing financial costs. Additionally, it allows for the abuse of communication services by sending SMS, making phone calls, dispatching WhatsApp messages, and sending emails through the victim's infrastructure. There is also a risk of disclosing sensitive information, as Twilio and SMTP credentials are accessed without proper authorization.

Reproduction

The vulnerability can be reproduced by sending a POST request to one of the affected notification endpoints, such as '/notification/whatsapp/test', '/notification/sms/test', or '/notification/phone-number/purchase'. These requests can be made without any authentication, using only the required parameters for each endpoint. For example, the WhatsApp test endpoint requires a 'toPhone' parameter, while the phone number purchase endpoint needs a 'projectId', 'incomingCallPolicyId', and 'phoneNumber'.

Remediation

Users are advised to update to OneUptime version 10.0.42 or later, where this vulnerability has been patched. For those using version 10.0.42, no further action is needed.