OneUptime Unauthorized User Creation via API
A low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface.
Advisories for Npm/@Oneuptime/Common package
2025
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, a user is able to gain access to the admin dashboard interface. However, despite accessing the admin panel, the user does not have sufficient permissions to view or interact with actual data.
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, a user is able to gain access to the admin dashboard interface. However, despite accessing the admin panel, the user does not have sufficient permissions to view or interact with actual data.