CVE-2022-23961

Vulnerability

Overview

CVE-2022-23961 is a reflected cross-site scripting (XSS) vulnerability in Thruk Monitoring, a web-based monitoring interface. The flaw exists in the login form's 'login' parameter prior to version 2.46.3. When invalid values are submitted, the application reflects the input back in error messages without proper encoding or filtering, allowing arbitrary HTML and JavaScript to be injected [2].

Exploitation

An unauthenticated remote attacker can exploit this by crafting a malicious URL or form submission containing a JavaScript payload in the 'login' field. The attacker must trick a victim into visiting the crafted link or submitting the malicious form; no prior authentication is required. The proof-of-concept demonstrates a simple POST request that triggers an alert box, confirming code execution [2].

Impact

Successful exploitation leads to execution of attacker-controlled JavaScript in the context of the victim's session. This can be used to steal session cookies, perform actions on behalf of the victim, or deface the interface. The CVSS v3 score of 6.1 (Medium) reflects the need for user interaction and the potential for significant impact on confidentiality and integrity [2].

Mitigation

The vendor addressed the issue in Thruk version 2.46.3. Users should upgrade to this version or later. No workarounds are mentioned, but general output encoding and input validation practices are recommended to prevent similar issues [2].