exploitDog

CVE-2021-35488

Опубликовано: 09 нояб. 2021

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Средний

Описание

Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it.

Ссылки

https://www.gruppotim.it/redteam
Exploit
Third Party Advisory
https://www.thruk.org/changelog.html
Release Notes
Vendor Advisory
https://www.gruppotim.it/redteam
Exploit
Third Party Advisory
https://www.thruk.org/changelog.html
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:thruk:thruk:2.40-2:*:*:*:*:*:*:*

EPSS

Процентиль: 94%

0.12795

Средний

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-x3c7-xr54-mc7w

github

больше 3 лет назад

Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it.

EPSS

Процентиль: 94%

0.12795

Средний

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79