CVE-2022-23513
Severity CVSS v4.0:
Pending analysis
Type:
CWE-284
Improper Access Control
Publication date:
23/12/2022
Last modified:
11/04/2025
Description
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path:<br />
`/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims&#39; personal blacklists.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:pi-hole:adminlte:*:*:*:*:*:*:*:* | 5.17 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/174460/AdminLTE-PiHole-Broken-Access-Control.html
- https://github.com/pi-hole/AdminLTE/releases/tag/v5.18
- https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497
- http://packetstormsecurity.com/files/174460/AdminLTE-PiHole-Broken-Access-Control.html
- https://github.com/pi-hole/AdminLTE/releases/tag/v5.18
- https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497