-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @oneuptime/common | npm | < 9.1.0 | 9.1.0 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in an improper authorization flaw within the OneUptime platform, allowing users with low privileges to create new accounts via a direct API request. The analysis of the provided patch, specifically commit 07bc6d4edde7397ea6b88f889c065ec392052ab4, reveals that the root cause is an overly permissive access control setting on the User database model.
The patch modifies the Common/Models/DatabaseModels/User.ts file, changing the @TableAccessControl decorator for the User class. The line create: [Permission.Public] was removed, which indicates that, prior to the fix, the action of creating a user was open to the public, requiring no specific permissions.
During the exploitation of this vulnerability, an attacker would make an API call to the user creation endpoint. This would lead to the instantiation of a new User object. The User.constructor is the function directly responsible for creating this object. Therefore, a runtime profiler would show User.constructor in the stack trace of the malicious request. While the constructor itself doesn't contain the flawed logic, it is a critical function in the execution path of the vulnerability, making it a key indicator of exploitation.
User.constructorCommon/Models/DatabaseModels/User.ts