5.3
CVE-2022-23513
- EPSS 40.16%
- Veröffentlicht 23.12.2022 00:15:08
- Zuletzt bearbeitet 11.04.2025 14:48:51
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginPi-Hole/AdminLTE vulnerable due to improper access control in queryads endpoint
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: `/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 40.16% | 0.985 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
CWE-284 Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
http://packetstormsecurity.com/files/174460/AdminLTE-PiHole-Broken-Access-Control.html
https://github.com/pi-hole/AdminLTE/releases/tag/v5.18
https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497