search

sni / Thruk

Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API.
http://www.thruk.org
Other
408 stars 148 forks source link

Possible Reflective xss vulnerability #1343

Closed boxinegmbh closed 7 months ago

boxinegmbh commented 7 months ago

Describe the bug [ https://host-ip/thruk/cgi-bin/login.cgi?debug=alert(document.domain ] Reflective xss vulnerability possible using debug

Thruk Version 3.12

Expected behavior Is there a way to disable the debug behaviour in the configuration?

Screenshots

image(1) image(2)

Desktop (please complete the following information):

sni commented 7 months ago

thanks for reporting this, should be fixed with the commit https://github.com/sni/Thruk/commit/d9979d9f4a0189d0731a732589806c871b57c9a2. Please report security related issues here https://github.com/sni/Thruk/security or by mail to security (at) thruk.org