CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23614 – Improper session handling of "Remember me for 7 days" functionality
https://notcve.org/view.php?id=CVE-2023-23614
26 Jan 2023 — Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes it possible for an attacker to "pass the hash" to login or reuse a theoretically expired "remember me" cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire af... • https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-33w4-xf7m-f82m • CWE-613: Insufficient Session Expiration CWE-836: Use of Password Hash Instead of Password for Authentication •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41175 – Stored XSS in Client Groups Management (Authenticated)
https://notcve.org/view.php?id=CVE-2021-41175
26 Oct 2021 — Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8. La interfaz Web de Pi-hole (basada en AdminLTE) proporciona una ubicación central para administrar el propio Pi-hole y revisar las estadísticas generadas por FTLDNS. En versiones anteriores a 5.8, era posible un at... • https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3812 – Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3812
17 Sep 2021 — adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') adminlte es vulnerable a una Neutralización Inapropiada de Entradas Durante la Generación de Páginas Web ("Cross-site Scripting") • https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3811 – Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3811
17 Sep 2021 — adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') adminlte es vulnerable a una Neutralización Inapropiada de la Entrada Durante la Generación de la Página Web ("Cross-site Scripting") • https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3706 – Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3706
15 Sep 2021 — adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag adminlte es vulnerable a Cookie confidencial sin flag "HttpOnl" • https://github.com/pi-hole/adminlte/commit/cf8602eedd4a31eadb72372fc878c12d342f8600 • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2021-29448 – Stored DOM XSS in Pi-hole Admin Web Interface
https://notcve.org/view.php?id=CVE-2021-29448
15 Apr 2021 — Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details. Pi-hole es una aplicación de bloqueo de anuncios y rastreadores de Internet a nivel de red de Linux. El ataque XSS Almacenado se presenta en el portal de Administración de Pi-hole, que puede ser explotado por el actor ... • https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2010-4515
https://notcve.org/view.php?id=CVE-2010-4515
09 Dec 2010 — Cross-site scripting (XSS) vulnerability in Citrix Web Interface 5.0, 5.1, and 5.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2007-6477 and CVE-2009-2454. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Citrix Web Interface 5.0, 5.1 y 5.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de vectores no especificados, una vulnerabilidad diferente a CVE-2007-6477 y ... • http://osvdb.org/69676 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2009-2454
https://notcve.org/view.php?id=CVE-2009-2454
14 Jul 2009 — Cross-site scripting (XSS) vulnerability in Citrix Web Interface 4.6, 5.0, and 5.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en Citrix Web Interface v4.6, v5.0, y v5.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML de forma arbitraria a través de vectores desconocidos. • http://secunia.com/advisories/34868 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2008-6830
https://notcve.org/view.php?id=CVE-2008-6830
08 Jun 2009 — The disconnection feature in Citrix Web Interface 5.0 and 5.0.1 for Java Application Servers does not properly terminate a user's web interface session, which allows attackers with access to the same browser instance to gain access to the user's Web Interface session. NOTE: the attacker must also have valid credentials to the Web Interface. La desconexión de Citrix Web Interface v5.0 y v5.0.1 para servidores de aplicación Java no finaliza adecuadamente la sesión del interfaz web, lo que permite a atacantes ... • http://osvdb.org/49387 •