CVE-2023-44400: 
JavaScript vulnerability analysis and mitigation

Uptime Kuma, a self-hosted monitoring tool, was found to contain a session management vulnerability (CVE-2023-44400) prior to version 1.23.3. The vulnerability was discovered and disclosed on October 9, 2023, affecting all versions up to and including v1.23.2. The issue allows attackers with access to a user's device to gain persistent account access due to missing verification of Session Tokens after password changes and during extended inactivity periods (GitHub Advisory).

The vulnerability stems from design flaws in JWT token implementation. After authentication, tokens are stored in sessionStorage or localStorage based on the 'Remember Me' option. These tokens remain valid indefinitely without time limitations, even after long periods of inactivity. Additionally, sessions are only deleted client-side after logout, and previously issued tokens remain valid even after password changes. The vulnerability received a CVSS v3.1 base score of 6.7 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory, NVD).

The vulnerability enables unauthorized access to user accounts with potential for significant security breaches. An attacker could access confidential monitors (including private ones), notification provider settings, API keys, and sensitive configuration data. They could cause availability issues by creating numerous monitors or manipulating retention policies, leading to database performance degradation or storage exhaustion. Additionally, attackers could compromise integrity by deleting monitors, altering monitor history, or changing monitor configurations (GitHub Advisory).

The vulnerability has been patched in version 1.23.3 of Uptime Kuma. Users are strongly recommended to upgrade to this version or later. The fix includes improvements to session token verification after password changes and implementation of proper session management (GitHub Advisory).