Vulnerabilities
Vulnerable Software
Thruk:  >> Thruk  Security Vulnerabilities
Thruk is a multibackend monitoring webinterface. Prior to 3.12, the Thruk web monitoring application presents a vulnerability in a file upload form that allows a threat actor to arbitrarily upload files to the server to any path they desire and have permissions for. This vulnerability is known as Path Traversal or Directory Traversal. Version 3.12 fixes the issue.
CVSS Score
5.4
EPSS Score
0.003
Published
2024-01-29
Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file `panorama.pm` is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (`.`) and the slash (`/`). A fix is available in version 3.06.2.
CVSS Score
6.5
EPSS Score
0.451
Published
2023-06-08
Thruk before 2.44 allows XSS for a quick command.
CVSS Score
5.4
EPSS Score
0.005
Published
2021-12-15
Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it.
CVSS Score
6.1
EPSS Score
0.164
Published
2021-11-09
Thruk 2.40-2 allows /thruk/#cgi-bin/extinfo.cgi?type=2&host={HOSTNAME]&service={SERVICENAME]&backend={BACKEND] Reflected XSS via the host or service parameter. An attacker could inject arbitrary JavaScript into extinfo.cgi. The malicious payload would be triggered every time an authenticated user browses the page containing it.
CVSS Score
6.1
EPSS Score
0.009
Published
2021-11-09


Contact Us

Shodan ® - All rights reserved