CVE-2022-23513

Опубликовано: 23 дек. 2022

Источник: nvd

CVSS3: 5.3

EPSS Низкий

Описание

Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on queryads endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: /admin/scripts/pi-hole/phpqueryads.php. Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.

Ссылки

http://packetstormsecurity.com/files/174460/AdminLTE-PiHole-Broken-Access-Control.html
Exploit
https://github.com/pi-hole/AdminLTE/releases/tag/v5.18
Release Notes
Third Party Advisory
https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497
Exploit
Third Party Advisory
http://packetstormsecurity.com/files/174460/AdminLTE-PiHole-Broken-Access-Control.html
Exploit
https://github.com/pi-hole/AdminLTE/releases/tag/v5.18
Release Notes
Third Party Advisory
https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pi-hole:adminlte:*:*:*:*:*:*:*:*

Версия до 5.17 (включая)

EPSS

Процентиль: 92%

0.07676

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-284

NVD-CWE-noinfo

Связанные уязвимости

BDU:2023-07566