CVE-2021-35488
18Vexday Risk Score
Patch soon. It has a working public exploit.
ssvc Attendepss 2.6%
exploitation probability
2.6%top 16% of all CVEs
observed exploitation
nono source reports it
Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] Reflected XSS via the host or title parameter. An attacker could inject arbitrary JavaScript into status.cgi. The payload would be triggered every time an authenticated user browses the page containing it.
Affected products
n/a · n/a