Thruk 2.40-2 allows /thruk/#cgi-bin/extinfo.cgi?type=2&host={HOSTNAME]&service={SERVICENAME]&backend={BACKEND] Reflected XSS via the host or service parameter. An attacker could inject arbitrary JavaScript into extinfo.cgi. The malicious payload would be triggered every time an authenticated user browses the page containing it.
References
Link | Resource |
---|---|
https://www.gruppotim.it/redteam | Exploit Third Party Advisory |
https://www.thruk.org/changelog.html | Release Notes Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-11-09T22:28:52
Updated: 2021-11-09T22:28:52
Reserved: 2021-06-24T00:00:00
Link: CVE-2021-35489
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-11-09T23:15:08.830
Modified: 2021-11-10T19:02:29.207
Link: CVE-2021-35489
JSON object: View
Redhat Information
No data.
CWE