Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
5 vulnerabilities by thruk
CVE-2024-23822 (GCVE-0-2024-23822)
Vulnerability from cvelistv5 – Published: 2024-01-29 15:46 – Updated: 2025-05-29 15:09
VLAI
Title
Thruk Incorrect limitation of a pathname to a restricted directory (Path Traversal) (CWE-22)
Summary
Thruk is a multibackend monitoring webinterface. Prior to 3.12, the Thruk web monitoring application presents a vulnerability in a file upload form that allows a threat actor to arbitrarily upload files to the server to any path they desire and have permissions for. This vulnerability is known as Path Traversal or Directory Traversal. Version 3.12 fixes the issue.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/sni/Thruk/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/sni/Thruk/commit/1aa9597cdf272… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:13:08.393Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/sni/Thruk/security/advisories/GHSA-4mrh-mx7x-rqjx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sni/Thruk/security/advisories/GHSA-4mrh-mx7x-rqjx"
},
{
"name": "https://github.com/sni/Thruk/commit/1aa9597cdf2722a69651124f68cbb449be12cc39",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sni/Thruk/commit/1aa9597cdf2722a69651124f68cbb449be12cc39"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23822",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:38:40.514316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T15:09:09.974Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Thruk",
"vendor": "sni",
"versions": [
{
"status": "affected",
"version": "\u003c 3.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Thruk is a multibackend monitoring webinterface. Prior to 3.12, the Thruk web monitoring application presents a vulnerability in a file upload form that allows a threat actor to arbitrarily upload files to the server to any path they desire and have permissions for. This vulnerability is known as Path Traversal or Directory Traversal. Version 3.12 fixes the issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-29T15:46:30.188Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sni/Thruk/security/advisories/GHSA-4mrh-mx7x-rqjx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sni/Thruk/security/advisories/GHSA-4mrh-mx7x-rqjx"
},
{
"name": "https://github.com/sni/Thruk/commit/1aa9597cdf2722a69651124f68cbb449be12cc39",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sni/Thruk/commit/1aa9597cdf2722a69651124f68cbb449be12cc39"
}
],
"source": {
"advisory": "GHSA-4mrh-mx7x-rqjx",
"discovery": "UNKNOWN"
},
"title": "Thruk Incorrect limitation of a pathname to a restricted directory (Path Traversal) (CWE-22)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23822",
"datePublished": "2024-01-29T15:46:30.188Z",
"dateReserved": "2024-01-22T22:23:54.337Z",
"dateUpdated": "2025-05-29T15:09:09.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34096 (GCVE-0-2023-34096)
Vulnerability from cvelistv5 – Published: 2023-06-08 18:59 – Updated: 2025-02-13 16:55
VLAI
Title
Thruk has Path Traversal Vulnerability in panorama.pm
Summary
Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file `panorama.pm` is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (`.`) and the slash (`/`). A fix is available in version 3.06.2.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
11 references
| URL | Tags |
|---|---|
| https://github.com/sni/Thruk/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/sni/Thruk/commit/26de047275c35… | x_refsource_MISC |
| https://github.com/sni/Thruk/commit/cf03f67621b7b… | x_refsource_MISC |
| https://github.com/sni/Thruk/blob/1bc5a5804bf9fc2… | x_refsource_MISC |
| https://github.com/sni/Thruk/blob/1bc5a5804bf9fc2… | x_refsource_MISC |
| https://github.com/sni/Thruk/blob/1bc5a5804bf9fc2… | x_refsource_MISC |
| https://github.com/sni/Thruk/blob/1bc5a5804bf9fc2… | x_refsource_MISC |
| http://packetstormsecurity.com/files/172822/Thruk… | |
| https://galogetlatorre.blogspot.com/2023/06/cve-2… | |
| https://www.exploit-db.com/exploits/51509 | |
| https://github.com/galoget/Thruk-CVE-2023-34096 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:01:53.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h"
},
{
"name": "https://github.com/sni/Thruk/commit/26de047275c355c5ae2bbbc51b164f0f8bef5c5b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sni/Thruk/commit/26de047275c355c5ae2bbbc51b164f0f8bef5c5b"
},
{
"name": "https://github.com/sni/Thruk/commit/cf03f67621b7bb20e2c768bc62b30e976206aa17",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sni/Thruk/commit/cf03f67621b7bb20e2c768bc62b30e976206aa17"
},
{
"name": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L690",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L690"
},
{
"name": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L705",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L705"
},
{
"name": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L727",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L727"
},
{
"name": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L735",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L735"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/172822/Thruk-Monitoring-Web-Interface-3.06-Path-Traversal.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/51509"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/galoget/Thruk-CVE-2023-34096"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34096",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T19:46:13.535089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T19:46:23.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Thruk",
"vendor": "sni",
"versions": [
{
"status": "affected",
"version": "\u003c 3.06.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file `panorama.pm` is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (`.`) and the slash (`/`). A fix is available in version 3.06.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-19T17:44:14.067Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h"
},
{
"name": "https://github.com/sni/Thruk/commit/26de047275c355c5ae2bbbc51b164f0f8bef5c5b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sni/Thruk/commit/26de047275c355c5ae2bbbc51b164f0f8bef5c5b"
},
{
"name": "https://github.com/sni/Thruk/commit/cf03f67621b7bb20e2c768bc62b30e976206aa17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sni/Thruk/commit/cf03f67621b7bb20e2c768bc62b30e976206aa17"
},
{
"name": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L690",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L690"
},
{
"name": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L705",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L705"
},
{
"name": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L727",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L727"
},
{
"name": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L735",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L735"
},
{
"url": "http://packetstormsecurity.com/files/172822/Thruk-Monitoring-Web-Interface-3.06-Path-Traversal.html"
},
{
"url": "https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html"
},
{
"url": "https://www.exploit-db.com/exploits/51509"
},
{
"url": "https://github.com/galoget/Thruk-CVE-2023-34096"
}
],
"source": {
"advisory": "GHSA-vhqc-649h-994h",
"discovery": "UNKNOWN"
},
"title": "Thruk has Path Traversal Vulnerability in panorama.pm"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34096",
"datePublished": "2023-06-08T18:59:51.787Z",
"dateReserved": "2023-05-25T21:56:51.245Z",
"dateUpdated": "2025-02-13T16:55:17.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35490 (GCVE-0-2021-35490)
Vulnerability from cvelistv5 – Published: 2021-12-15 19:49 – Updated: 2024-08-04 00:40
VLAI
Summary
Thruk before 2.44 allows XSS for a quick command.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.gruppotim.it/redteam | x_refsource_MISC |
| https://www.thruk.org/changelog.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:40:47.051Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gruppotim.it/redteam"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.thruk.org/changelog.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Thruk before 2.44 allows XSS for a quick command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-04T17:46:23.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gruppotim.it/redteam"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.thruk.org/changelog.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-35490",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Thruk before 2.44 allows XSS for a quick command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gruppotim.it/redteam",
"refsource": "MISC",
"url": "https://www.gruppotim.it/redteam"
},
{
"name": "https://www.thruk.org/changelog.html",
"refsource": "MISC",
"url": "https://www.thruk.org/changelog.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-35490",
"datePublished": "2021-12-15T19:49:49.000Z",
"dateReserved": "2021-06-24T00:00:00.000Z",
"dateUpdated": "2024-08-04T00:40:47.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35488 (GCVE-0-2021-35488)
Vulnerability from cvelistv5 – Published: 2021-11-09 22:29 – Updated: 2024-08-04 00:40
VLAI
Summary
Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.gruppotim.it/redteam | x_refsource_MISC |
| https://www.thruk.org/changelog.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:40:46.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gruppotim.it/redteam"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.thruk.org/changelog.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined\u0026title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-09T22:29:41.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gruppotim.it/redteam"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.thruk.org/changelog.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-35488",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined\u0026title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gruppotim.it/redteam",
"refsource": "MISC",
"url": "https://www.gruppotim.it/redteam"
},
{
"name": "https://www.thruk.org/changelog.html",
"refsource": "MISC",
"url": "https://www.thruk.org/changelog.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-35488",
"datePublished": "2021-11-09T22:29:41.000Z",
"dateReserved": "2021-06-24T00:00:00.000Z",
"dateUpdated": "2024-08-04T00:40:46.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35489 (GCVE-0-2021-35489)
Vulnerability from cvelistv5 – Published: 2021-11-09 22:28 – Updated: 2024-08-04 00:40
VLAI
Summary
Thruk 2.40-2 allows /thruk/#cgi-bin/extinfo.cgi?type=2&host={HOSTNAME]&service={SERVICENAME]&backend={BACKEND] Reflected XSS via the host or service parameter. An attacker could inject arbitrary JavaScript into extinfo.cgi. The malicious payload would be triggered every time an authenticated user browses the page containing it.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.gruppotim.it/redteam | x_refsource_MISC |
| https://www.thruk.org/changelog.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:40:47.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gruppotim.it/redteam"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.thruk.org/changelog.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Thruk 2.40-2 allows /thruk/#cgi-bin/extinfo.cgi?type=2\u0026host={HOSTNAME]\u0026service={SERVICENAME]\u0026backend={BACKEND] Reflected XSS via the host or service parameter. An attacker could inject arbitrary JavaScript into extinfo.cgi. The malicious payload would be triggered every time an authenticated user browses the page containing it."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-09T22:28:52.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gruppotim.it/redteam"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.thruk.org/changelog.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-35489",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Thruk 2.40-2 allows /thruk/#cgi-bin/extinfo.cgi?type=2\u0026host={HOSTNAME]\u0026service={SERVICENAME]\u0026backend={BACKEND] Reflected XSS via the host or service parameter. An attacker could inject arbitrary JavaScript into extinfo.cgi. The malicious payload would be triggered every time an authenticated user browses the page containing it."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gruppotim.it/redteam",
"refsource": "MISC",
"url": "https://www.gruppotim.it/redteam"
},
{
"name": "https://www.thruk.org/changelog.html",
"refsource": "MISC",
"url": "https://www.thruk.org/changelog.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-35489",
"datePublished": "2021-11-09T22:28:52.000Z",
"dateReserved": "2021-06-24T00:00:00.000Z",
"dateUpdated": "2024-08-04T00:40:47.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}