CVE-2023-23614 – Improper session handling of "Remember me for 7 days" functionality
https://notcve.org/view.php?id=CVE-2023-23614
Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes it possible for an attacker to "pass the hash" to login or reuse a theoretically expired "remember me" cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire after 7 days but its value will remain valid as long as the admin password doesn't change. • https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-33w4-xf7m-f82m • CWE-613: Insufficient Session Expiration CWE-836: Use of Password Hash Instead of Password for Authentication •
CVE-2022-41432
https://notcve.org/view.php?id=CVE-2022-41432
EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /module/report_event/index.php. Se descubrió que EyesOfNetwork Web Interface v5.3 contiene una vulnerabilidad de cross-site scripting (XSS) reflejada a través del componente /module/report_event/index.php. • https://gist.github.com/delyura/bda0b16cf99cb14bb767db84e5110419 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-41434
https://notcve.org/view.php?id=CVE-2022-41434
EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /lilac/main.php. Se descubrió que EyesOfNetwork Web Interface v5.3 contiene una vulnerabilidad de cross-site scripting (XSS) reflejada a través del componente /lilac/main.php. • https://gist.github.com/delyura/83553302a1960311c8c4c8cc4a974577 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-41433
https://notcve.org/view.php?id=CVE-2022-41433
EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /module/admin_bp/add_application.php. Se descubrió que la interfaz web EyesOfNetwork v5.3 contiene una vulnerabilidad de cross-site scripting (XSS) reflejada a través del componente /module/admin_bp/add_application.php. • https://gist.github.com/delyura/b7419cab29f4105df1c1fbe5d99edd7c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-41175 – Stored XSS in Client Groups Management (Authenticated)
https://notcve.org/view.php?id=CVE-2021-41175
Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8. La interfaz Web de Pi-hole (basada en AdminLTE) proporciona una ubicación central para administrar el propio Pi-hole y revisar las estadísticas generadas por FTLDNS. En versiones anteriores a 5.8, era posible un ataque de tipo cross-site scripting cuando se agregaba un cliente por medio de la página de administración de grupos-clientes. • https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d https://github.com/pi-hole/AdminLTE/releases/tag/v5.8 https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •