CVE-2020-35591

Опубликовано: 18 фев. 2021

Источник: nvd

CVSS3: 5.4

CVSS2: 5.8

EPSS Низкий

Описание

Pi-hole 5.0, 5.1, and 5.1.1 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.

Ссылки

https://discourse.pi-hole.net/c/announcements/5
Release Notes
Vendor Advisory
https://n4nj0.github.io/advisories/pi-hole-multiple-vulnerabilities-i/
Exploit
Third Party Advisory
https://discourse.pi-hole.net/c/announcements/5
Release Notes
Vendor Advisory
https://n4nj0.github.io/advisories/pi-hole-multiple-vulnerabilities-i/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:pi-hole:pi-hole:5.0:*:*:*:*:*:*:*

cpe:2.3:a:pi-hole:pi-hole:5.1:*:*:*:*:*:*:*

cpe:2.3:a:pi-hole:pi-hole:5.1.1:*:*:*:*:*:*:*

EPSS

Процентиль: 40%

0.00184

Низкий

5.4 Medium

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-384

Связанные уязвимости

GHSA-fg2g-p9qq-jw38

github

больше 3 лет назад