Vulnerabilities (CVE)

Filtered by vendor Thruk Subscribe
Total 4 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-34096 1 Thruk 1 Thruk 2023-06-19 N/A 8.8 HIGH
Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file `panorama.pm` is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (`.`) and the slash (`/`). A fix is available in version 3.06.2.
CVE-2021-35490 1 Thruk 1 Thruk 2022-04-05 3.5 LOW 5.4 MEDIUM
Thruk before 2.44 allows XSS for a quick command.
CVE-2021-35488 1 Thruk 1 Thruk 2021-11-10 4.3 MEDIUM 6.1 MEDIUM
Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it.
CVE-2021-35489 1 Thruk 1 Thruk 2021-11-10 4.3 MEDIUM 6.1 MEDIUM
Thruk 2.40-2 allows /thruk/#cgi-bin/extinfo.cgi?type=2&host={HOSTNAME]&service={SERVICENAME]&backend={BACKEND] Reflected XSS via the host or service parameter. An attacker could inject arbitrary JavaScript into extinfo.cgi. The malicious payload would be triggered every time an authenticated user browses the page containing it.