CVE-2023-36822: 
JavaScript vulnerability analysis and mitigation

Uptime Kuma, a self-hosted monitoring tool, contains a path traversal vulnerability in versions prior to 1.22.1. The vulnerability allows authenticated users to delete files from the server through the plugin installation feature. While this feature is disabled in the web interface, the API endpoints remain accessible after login (GitHub Advisory).

The vulnerability exists in the plugin installation mechanism where before a plugin is downloaded, the plugin installation directory is checked for existence and removed if it exists. Due to insufficient validation against the official plugin list and lack of path sanitization, the directory check and removal operations are susceptible to path traversal. The vulnerability has been assigned CVE-2023-36822 with a CVSS v3.1 base score of 6.5 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (NVD, GitHub Advisory).

An authenticated attacker can exploit this vulnerability to delete files from the server where Uptime Kuma is running. Depending on which files are deleted, this could result in Uptime Kuma becoming unavailable or cause system-wide data loss (GitHub Advisory).

The vulnerability has been fixed in version 1.22.1 by removing all unreleased plugin feature code from Uptime Kuma. Users should upgrade to version 1.22.1 or later to mitigate this vulnerability (Release Notes).