GHSA-m449-vh5f-574g

Опубликовано: 26 нояб. 2025

Источник: github

Github: Прошло ревью

CVSS4: 8.8

Описание

OneUptime Unauthorized User Creation via API

Summary

A low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface.

PoC

A low-permission user sends a crafted API request to the user-creation endpoint and the system creates the account successfully. WhatsApp Image 2025-11-23 at 14 27 32_0e0f5889

Impact

This allows attackers to create unauthorized accounts.

Ссылки

Пакеты

Наименование

@oneuptime/common

npm

Затронутые версииВерсия исправления

< 9.1.0

9.1.0

EPSS

Процентиль: 19%

0.00061

Низкий

8.8 High

CVSS4

CVE ID

CVE-2025-65966

Дефекты

CWE-285

Связанные уязвимости

CVE-2025-65966

CVSS3: 8.1

nvd

2 месяца назад

OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0.

EPSS

Процентиль: 19%

0.00061

Низкий

8.8 High

CVSS4

CVE ID

CVE-2025-65966

Дефекты

CWE-285