CVE-2022-23513
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on queryads endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path:
/admin/scripts/pi-hole/phpqueryads.php. Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| pi-hole | AdminLTE | < 5.17 | affected |
Weaknesses
- CWE-284: CWE-284: Improper Access Control
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497
- https://github.com/pi-hole/AdminLTE/releases/tag/v5.18
- http://packetstormsecurity.com/files/174460/AdminLTE-PiHole-Broken-Access-Control.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497
- https://github.com/pi-hole/AdminLTE/releases/tag/v5.18
- http://packetstormsecurity.com/files/174460/AdminLTE-PiHole-Broken-Access-Control.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.