CVE-2021-35488

MEDIUM NUCLEI

Thruk 2.40-2 - XSS

Title source: llm

Description

Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it.

Nuclei Templates (1)

Thruk 2.40-2 - Cross-Site Scripting

MEDIUMVERIFIEDby arafatansari

Shodan: http.html:"Thruk" || http.html:"thruk"

FOFA: body="thruk" || title=="thruk monitoring webinterface"

References (2)

[Exploit, Third Party Advisory] https://www.gruppotim.it/redteam

[Release Notes, Vendor Advisory] https://www.thruk.org/changelog.html

Scores

CVSS v3 6.1

EPSS 0.1280

EPSS Percentile 94.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

thruk/thruk 2.40-2

Published Nov 09, 2021

Tracked Since Feb 18, 2026