CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-34361 – Pi-hole Blind Server-Side Request Forgery (SSRF) vulnerability can lead to Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2024-34361
05 Jul 2024 — Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()` function. Depending on some circumstances, the vulnerability could lead to remote command execution. Version 5.18.3 contains a patch for this issue. Pi-hole es un sumidero de DNS que protege los dispositivos de contenido no deseado sin ins... • https://github.com/T0X1Cx/CVE-2024-34361-PiHole-SSRF-to-RCE • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 1CVE-2024-28247 – Pihole Authenticated Arbitrary File Read with root privileges
https://notcve.org/view.php?id=CVE-2024-28247
27 Mar 2024 — The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. A vulnerability has been discovered in Pihole that allows an authenticated user on the platform to read internal server files arbitrarily, and because the application runs from behind, reading files is done as a privileged user.If the URL that is in the list of "Adslists" begins with "file*" it is understood that it is updating from a local file, on the other hand if it does not begin ... • https://github.com/T0X1Cx/CVE-2024-28247-Pi-hole-Arbitrary-File-Read • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23614 – Improper session handling of "Remember me for 7 days" functionality
https://notcve.org/view.php?id=CVE-2023-23614
26 Jan 2023 — Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes it possible for an attacker to "pass the hash" to login or reuse a theoretically expired "remember me" cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire af... • https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-33w4-xf7m-f82m • CWE-613: Insufficient Session Expiration CWE-836: Use of Password Hash Instead of Password for Authentication •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 3CVE-2022-23513 – Pi-Hole/AdminLTE vulnerable due to improper access control in queryads endpoint
https://notcve.org/view.php?id=CVE-2022-23513
22 Dec 2022 — Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: `/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain l... • https://packetstorm.news/files/id/174460 • CWE-284: Improper Access Control •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31029 – Authenticated XSS in Pi-hole AdminLTE
https://notcve.org/view.php?id=CVE-2022-31029
07 Jul 2022 — AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert("XSS")</script>` in the field marked with "Domain to look for" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. • https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41175 – Stored XSS in Client Groups Management (Authenticated)
https://notcve.org/view.php?id=CVE-2021-41175
26 Oct 2021 — Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8. La interfaz Web de Pi-hole (basada en AdminLTE) proporciona una ubicación central para administrar el propio Pi-hole y revisar las estadísticas generadas por FTLDNS. En versiones anteriores a 5.8, era posible un at... • https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3812 – Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3812
17 Sep 2021 — adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') adminlte es vulnerable a una Neutralización Inapropiada de Entradas Durante la Generación de Páginas Web ("Cross-site Scripting") • https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3811 – Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3811
17 Sep 2021 — adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') adminlte es vulnerable a una Neutralización Inapropiada de la Entrada Durante la Generación de la Página Web ("Cross-site Scripting") • https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3706 – Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3706
15 Sep 2021 — adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag adminlte es vulnerable a Cookie confidencial sin flag "HttpOnl" • https://github.com/pi-hole/adminlte/commit/cf8602eedd4a31eadb72372fc878c12d342f8600 • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-32793 – Stored XSS Vulnerability in the Pi-hole Webinterface
https://notcve.org/view.php?id=CVE-2021-32793
04 Aug 2021 — Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the function to add domains to blocklists or allowlists is vulnerable to a stored cross-site-scripting vulnerability. User input added as a wildcard domain to a blocklist or allowlist is unfiltered in the web interface. Since the payload is stored permanently as a wildcard domain, this is a persistent XSS vulnerability. A remote attacker can theref... • https://github.com/pi-hole/AdminLTE/releases/tag/v5.5.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •