CVE-2023-34096
moderate-risk
Published 2023-06-08
Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file `panorama.pm` is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (`.`) and the slash (`/`). A fix is available in version 3.06.2.
Do I need to act?
!
45.1% chance of exploitation in next 30 days
EPSS score — higher than 55% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (22)
and 2 more references
46
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
17/34 · Moderate
Exposure
5/34 · Minimal