Thruk 2.40-2 - Cross-Site Scripting

Thruk 2.40-2 contains a cross-site scripting vulnerability via /thruk/cgi-bin/status.cgi?style=combined&title=TITLE in the host or title parameter. An attacker can inject arbitrary JavaScript into status.cgi, leading to a triggered payload when accessed by an authenticated user. id: CVE-2021-3548...

EUVD-2022-28877

In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the monitoring interface...

CVE-2022-23961

In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the monitoring interface...

CVE-2022-23961

In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the monitoring interface...

CVE-2022-23961

Thruk Monitoring (up to 2.46.3) is affected by a reflected XSS in the login field of the login form. The vulnerability can be exploited by unauthenticated remote attackers to target users of the monitoring interface. The CVSS-3.1 base score is 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). No exploit...

Thruk Monitoring 跨站脚本漏洞

Thruk Monitoring is an open-source visualization interface developed by Thruk, designed for centrally displaying and managing system monitoring data. Versions of Thruk Monitoring prior to 2.46.3 contained a cross-site scripting vulnerability. This vulnerability stemmed from the login fields in th...

CVE-2022-23961

In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the monitoring interface...

PT-2026-38658

Name of the Vulnerable Software and Affected Versions Thruk Monitoring versions prior to 2.46.4 Description The login field of the login form is susceptible to reflected Cross-Site Scripting XSS, a flaw where an application includes untrusted data in a web page without proper validation, allowing...

CVE-2022-23961

In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the monitoring interface...

CVE-2024-39915

Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API. This authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation. The Thruk web application...

EUVD-2021-22132

Malware in sbrugna...

EUVD-2021-22131

Malware in sbrugna...

EUVD-2024-38297

Malicious code in bioql PyPI...

EUVD-2024-21270

Malicious code in bioql PyPI...

CVE-2024-23822

Thruk is a multibackend monitoring webinterface. Prior to 3.12, the Thruk web monitoring application presents a vulnerability in a file upload form that allows a threat actor to arbitrarily upload files to the server to any path they desire and have permissions for. This vulnerability is known as...

CVE-2023-34096

Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file panorama.pm is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to any folder which has write...

CVE-2021-35489

Thruk 2.40-2 allows /thruk/cgi-bin/extinfo.cgi?type=2=HOSTNAME=SERVICENAME=BACKEND Reflected XSS via the host or service parameter. An attacker could inject arbitrary JavaScript into extinfo.cgi. The malicious payload would be triggered every time an authenticated user browses the page containing...

CVE-2021-35490

Thruk before 2.44 allows XSS for a quick command...

CVE-2021-35488

Thruk 2.40-2 allows /thruk/cgi-bin/status.cgi?style=combined=TITLE Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it...

CVE-2024-39915

Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API. This authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation. The Thruk web application...