usd-2021-0034 (CVE-2022-23961) | Thruk Monitoring

Advisory ID: usd-2021-0034
CVE ID: CVE-2022-23961
Affected Product: Thruk Monitoring
Affected Version: < v2.46.3
Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: Medium
Vendor URL:
Vendor Status: Fixed


At Thruk Monitoring's login form prior v2.46.3, the field "login" is vulnerable to reflected XSS payloads.

Submitting invalid values into the login form's name field called "login" results in the output of detailed error messages. The error message contains the submitted value to the login form in plain html without any encoding or filtering being applied. Consequently, on submitting an XSS payload, it is executed.

Proof of Concept (PoC)

The following request includes JavaScript within the "login" parameter:

POST /pv/thruk/cgi-bin/login.cgi HTTP/1.1
Cookie: thruk_tz=Europe/Berlin; thruk_screen={"height":555,"width":999}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close


As the following screenshot indicates, the above JavaScript is embedded within the application and executed:


It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.



  • 2021-12-16: This vulnerability was identified by Markus Ritter.

  • 2021-12-17: Initial contact attempt with maintainer via e-mail.
  • 2022-01-14: Second contact attempt via e-mail.
  • 2022-01-14: Submission of vulnerability details via encrypted e-mail.
  • 2022-01-25: CVE-2022-23961 is assigned. 

  • 2022-01-25: Maintainer releases fix with version v2.46.3:
  • 2022-02-18: Security advisory released by usd AG.


This security vulnerability was identified by Markus Ritter of usd AG.