Summary
This is basically GHSA-88j4-pcx8-q4q but instead of changing passwords, when enabling authentication.
PoC
- Open Uptime Kuma with authentication disabled
- Enable authentication using another window
- Access the platform using the previously logged-in window
- Note that access (read-write) remains despite the enabled authentication
- Expected behaviour:
- After enabling authentication, all previously connected sessions should be invalidated, requiring users to log in.
- Actual behaviour:
- The system retains sessions and never logs out users unless explicitly done by clicking logout or refreshing the page.
Impact
See GHSA-g9v2-wqcj-j99g and GHSA-88j4-pcx8-q4q
TBH this is quite a niche edge case, so I don't know if this even warrants a security report.
Summary
This is basically GHSA-88j4-pcx8-q4q but instead of changing passwords, when enabling authentication.
PoC
Impact
See GHSA-g9v2-wqcj-j99g and GHSA-88j4-pcx8-q4q
TBH this is quite a niche edge case, so I don't know if this even warrants a security report.