CVE-2024-29194

HIGH Year: 2024
CVSS v3 Score
8.3
High
Weakness Type
CWE-639
View all →

Vulnerability Description

OneUptime is a solution for monitoring and managing online services. The vulnerability lies in the improper validation of client-side stored data within the web application. Specifically, the is_master_admin key, stored in the local storage of the browser, can be manipulated by an attacker. By changing this key from false to true, the application grants administrative privileges to the user, without proper server-side validation. This has been patched in 7.0.1815.

Related Vulnerabilities

CVE-2024-4151

HIGH
CVSS:8.3(High)

An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling...

CWE-6392024

CVE-2025-26788

HIGH
CVSS:8.4(High)

StrongKey FIDO Server before 4.15.1 treats a non-discoverable (namedcredential) flow as a discoverable transaction.

CWE-6392025

CVE-2022-4806

HIGH
CVSS:8.2(High)

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

CWE-6392022

CVE-2019-12782

HIGH
CVSS:8.1(High)

An authorization bypass vulnerability in pinboard updates in ThoughtSpot 4.4.1 through 5.1.1 (before 5.1.2) allows a low-privilege user with write access to at least one pinboard to corrupt pinboards ...

CWE-6392019

CVE-2020-36126

HIGH
CVSS:8.1(High)

Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control that can lead to remote privilege escalation. PAXSTORE marketplace endpoints allow an authenticated user...

CWE-6392020

CVE-2021-24739

HIGH
CVSS:8.1(High)

The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature

CWE-6392021