CVE-2023-49276: 
JavaScript vulnerability analysis and mitigation

Uptime Kuma, an open source self-hosted monitoring tool, was found to contain a vulnerability (CVE-2023-49276) where the Google Analytics element was susceptible to Attribute Injection leading to Cross-Site-Scripting (XSS). The vulnerability affects versions from 1.20.0 through 1.23.6, and was discovered and disclosed on November 24, 2023. The issue stems from the custom status interface's ability to set an independent Google Analytics ID without proper template sanitization (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue specifically occurs in the custom status interface where the Google Analytics ID input is not properly sanitized, allowing for attribute injection that can lead to XSS attacks. The vulnerability is categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows attackers to perform Cross-Site-Scripting attacks through attribute injection in the Google Analytics element. This can lead to unauthorized script execution in the user's browser context, potentially compromising user data and session information (GitHub Advisory).

The vulnerability has been patched in version 1.23.7 through commit f28dccf4e. Users are strongly advised to upgrade to this version or later. The fix includes proper sanitization of the Google Analytics ID input. There are no known workarounds for this vulnerability (GitHub Advisory).