CVE-2021-35488
published 2021-11-09CVE-2021-35488: Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary…
PriorityP338medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
2.63%
83.6th percentile
Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thruk | thruk | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Thruk 2.40-2 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-35488 [MEDIUM] Thruk 2.40-2 - Cross-Site Scripting
Thruk 2.40-2 - Cross-Site Scripting
Thruk 2.40-2 contains a cross-site scripting vulnerability via /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] in the host or title parameter. An attacker can inject arbitrary JavaScript into status.cgi, leading to a triggered payload when accessed by an authenticated user.
Template:
id: CVE-2021-35488
info:
name: Thruk 2.40-2 - Cross-Site Scripting
author: arafatansari
severity: medium
description: |
Thruk 2.40-2 contains a cross-site scripting vulnerability via /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] in the host or title parameter. An attacker can inject arbitrary JavaScript into status.cgi, leading to a triggered payload when accessed by an authenticated user.
impact: |
Successful exploitation of this vulnerability could al
2021-11-09
Published