CVE-2023-49804: 
JavaScript vulnerability analysis and mitigation

Uptime Kuma, an easy-to-use self-hosted monitoring tool, was found to contain a session management vulnerability (CVE-2023-49804) prior to version 1.23.9. When a user changes their login password, previously logged-in users retain access without being logged out. This behavior persists even after system or browser restarts (GitHub Advisory). This vulnerability is related to a previously partially fixed issue (CVE-2023-44400) where logging out existing users after password changes was overlooked.

The vulnerability is classified with a CVSS v3.1 base score of 7.8 (HIGH) by NIST and 6.7 (MEDIUM) by GitHub. The vulnerability is characterized by Local attack vector, Low attack complexity, High privileges required, and No user interaction needed. The vulnerability affects both the Docker images (louislam/dockge <= 1.3.2 and louislam/uptime-kuma <= 1.23.8) and npm package (louislam/uptime-kuma <= 1.23.8) (GitHub Advisory).

The vulnerability enables unauthorized access to user accounts after password changes, compromising the security of sensitive information. Previously logged-in users maintain their access rights, which could lead to unauthorized data access and manipulation of user accounts. This poses a significant threat to the integrity and confidentiality of the Uptime Kuma platform (GitHub Advisory).

The vulnerability has been patched in version 1.23.9 of Uptime Kuma. The fix implements a server-side solution that emits a 'refresh' event and disconnects all clients except the one initiating the password change. Users are strongly recommended to upgrade to version 1.23.9 or later. For Docker users, version 1.3.3 of Dockge addresses this vulnerability (GitHub Advisory).

The vulnerability was initially reported as a bug report in a public issue tracker against the project's security policy. The Uptime Kuma team promptly responded by removing the public post and releasing a patch within three days of the initial discovery (GitHub Advisory).