Total
6 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-23614 | 1 Pi-hole | 1 Web Interface | 2023-02-06 | N/A | 8.8 HIGH |
Pi-holeĀ®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes it possible for an attacker to "pass the hash" to login or reuse a theoretically expired "remember me" cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire after 7 days but its value will remain valid as long as the admin password doesn't change. If a cookie is leaked or compromised it could be used forever as long as the admin password is not changed. An attacker that obtained the password hash via an other attack vector (for example a path traversal vulnerability) could use it to login as the admin by setting the hash as the cookie value without the need to crack it to obtain the admin password (pass the hash). The hash is exposed over the network and in the browser where the cookie is transmitted and stored. This issue is patched in version 5.18.3. | |||||
CVE-2021-3706 | 1 Pi-hole | 1 Web Interface | 2022-10-25 | 5.0 MEDIUM | 7.5 HIGH |
adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag | |||||
CVE-2021-41175 | 1 Pi-hole | 1 Web Interface | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8. | |||||
CVE-2021-3811 | 1 Pi-hole | 1 Web Interface | 2021-09-28 | 4.3 MEDIUM | 6.1 MEDIUM |
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
CVE-2021-3812 | 1 Pi-hole | 1 Web Interface | 2021-09-27 | 4.3 MEDIUM | 6.1 MEDIUM |
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
CVE-2021-29448 | 1 Pi-hole | 3 Ftldns, Pi-hole, Web Interface | 2021-05-14 | 5.8 MEDIUM | 8.8 HIGH |
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details. |