CVE-2022-23961 Overview
CVE-2022-23961 is a reflected cross-site scripting (XSS) vulnerability in Thruk Monitoring through version 2.46.3. The login field of the login form fails to properly sanitize user-supplied input before reflecting it in the response. Unauthenticated remote attackers can craft malicious URLs that execute arbitrary JavaScript in the browsers of victims who visit them. The flaw is classified under CWE-79 and targets users of the monitoring interface, including administrators with elevated privileges.
Critical Impact
Attackers can hijack monitoring sessions, steal credentials, or perform actions on behalf of authenticated operators by tricking them into clicking a crafted link to the Thruk login page.
Affected Products
- Thruk Monitoring versions through 2.46.3
- Thruk web-based monitoring interface (login form)
- Deployments exposing the Thruk login page to untrusted networks
Discovery Timeline
- 2026-05-08 - CVE-2022-23961 published to NVD
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2022-23961
Vulnerability Analysis
The vulnerability resides in the Thruk login form's handling of the login parameter. Thruk reflects the submitted value back into the rendered HTML response without applying contextual output encoding. An attacker who supplies JavaScript payloads through this parameter causes the browser to execute that code in the context of the Thruk application origin.
Reflected XSS requires user interaction. The attacker delivers a crafted URL through phishing, chat, or another distribution channel. When the victim loads the URL, their browser parses the injected script as part of the trusted page. Because Thruk is a monitoring interface, victims are frequently authenticated operators with access to host status data, configuration, and command execution features.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. The login form template embeds the login request parameter directly into the HTML response without HTML-entity encoding or context-aware escaping. The flaw exists on an unauthenticated endpoint, so no prior session or credential is required to trigger it.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker constructs a URL targeting the Thruk login page with a JavaScript payload placed in the login parameter. The attacker delivers this URL to a Thruk user through email, instant messaging, or a malicious web page. When the victim follows the link, the payload executes in their browser session against the Thruk origin. Consequences include session cookie theft, credential capture through injected forms, and unauthorized actions issued through the monitoring interface. Refer to the HeroLab Advisory USD-2021-0034 for additional technical details.
Detection Methods for CVE-2022-23961
Indicators of Compromise
- HTTP requests to the Thruk login endpoint containing <script>, onerror=, onload=, or javascript: tokens in the login parameter.
- URL-encoded payload fragments such as %3Cscript%3E, %3Cimg, or %22%3E appearing in the query string or POST body of login requests.
- Referrer headers from external or unexpected domains immediately preceding successful Thruk authentication events.
- Unusual outbound requests from operator browsers shortly after visiting the Thruk login page.
Detection Strategies
- Inspect web server access logs for requests to the Thruk login URL containing HTML, JavaScript, or event-handler syntax in parameters.
- Deploy a web application firewall (WAF) rule that flags reflected XSS signatures targeting the Thruk login form.
- Correlate authentication events with referrer values that originate outside the trusted operations network.
- Hunt for session activity in which an operator account performs unusual commands shortly after page load with an external referrer.
Monitoring Recommendations
- Forward Thruk and reverse-proxy access logs to a centralized logging or SIEM platform for query and retention.
- Alert on parameter values exceeding typical length or containing markup characters on unauthenticated endpoints.
- Monitor browser-side telemetry for content security policy (CSP) violation reports from the Thruk origin.
How to Mitigate CVE-2022-23961
Immediate Actions Required
- Upgrade Thruk Monitoring to a version newer than 2.46.3 that addresses the reflected XSS in the login form.
- Restrict access to the Thruk web interface to trusted management networks using firewall or VPN controls.
- Communicate the phishing risk to monitoring operators and instruct them not to follow Thruk login links from external sources.
Patch Information
Review the HeroLab Advisory USD-2021-0034 and the HeroLab Security Advisories page for the vendor's remediation guidance. Apply the fixed Thruk release as soon as it is available in your distribution channel and confirm the login parameter is properly encoded on the patched build.
Workarounds
- Place Thruk behind a reverse proxy that strips or rejects requests containing HTML or script syntax in the login parameter.
- Configure a strict Content-Security-Policy header that disallows inline scripts on the Thruk login page.
- Enable WAF rulesets targeting reflected XSS patterns until the upgrade is deployed.
- Require operators to access Thruk only through bookmarks rather than third-party links.
# Example nginx rule to block obvious XSS payloads on the Thruk login endpoint
location /thruk/cgi-bin/login.cgi {
if ($args ~* "(<|%3C)\s*script|onerror=|onload=|javascript:") {
return 403;
}
proxy_pass http://thruk_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
