Approved changes feed: RSS · Atom
cpe:2.3:a:pi-hole:adminlte:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Pi Hole (525d0520-023b-5ac7-adae-b0bb743ce667) |
|---|---|
| Product | Adminlte (2a36c28b-8c4e-599e-87b5-a723e27689ee) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/pi-hole/adminlte |
purl2cpe | 2026-06-01 10:10:57.006497 |
pkg:rpm/opensuse/pi-hole-adminlte |
purl2cpe | 2026-06-01 10:10:57.006499 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2023-23614 |
vulnerable | 2026-06-08 05:56:03.778818 |
Improper session handling of "Remember me for 7 days" functionality
HIGH (8.8)
Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes it possible for an attacker to "pass the hash" to login or reuse a theoretically expired "remember me" cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire after 7 days but its value will remain valid as long as the admin password doesn't change. If a cookie is leaked or compromised it could be used forever as long as the admin password is not changed. An attacker that obtained the password hash via an other attack vector (for example a path traversal vulnerability) could use it to login as the admin by setting the hash as the cookie value without the need to crack it to obtain the admin password (pass the hash). The hash is exposed over the network and in the browser where the cookie is transmitted and stored. This issue is patched in version 5.18.3.
Published: 2023-01-26T10:15:21.120Z
Updated: 2025-03-10T21:19:20.064Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-31029 |
vulnerable | 2026-06-08 05:43:40.014877 |
Authenticated XSS in Pi-hole AdminLTE
MEDIUM (5.9)
AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert("XSS")</script>` in the field marked with "Domain to look for" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue.
Published: 2022-07-07T21:55:10.000Z
Updated: 2025-04-23T18:03:57.709Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-23513 |
vulnerable | 2026-06-08 05:40:57.675701 |
Pi-Hole/AdminLTE vulnerable due to improper access control in queryads endpoint
MEDIUM (5.3)
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path:
`/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.
Published: 2022-12-22T23:17:19.812Z
Updated: 2025-04-15T13:32:52.300Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-41175 |
vulnerable | 2026-06-08 05:35:19.904282 |
Stored XSS in Client Groups Management (Authenticated)
HIGH (7.3)
Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8.
Published: 2021-10-26T14:10:12.000Z
Updated: 2024-08-04T02:59:31.690Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-32793 |
vulnerable | 2026-06-08 05:32:08.040764 |
Stored XSS Vulnerability in the Pi-hole Webinterface
MEDIUM (5.7)
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the function to add domains to blocklists or allowlists is vulnerable to a stored cross-site-scripting vulnerability. User input added as a wildcard domain to a blocklist or allowlist is unfiltered in the web interface. Since the payload is stored permanently as a wildcard domain, this is a persistent XSS vulnerability. A remote attacker can therefore attack administrative user accounts through client-side attacks. Pi-hole Web Interface version 5.5.1 contains a patch for this vulnerability.
Published: 2021-08-04T17:55:09.000Z
Updated: 2024-08-03T23:33:55.912Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-32706 |
vulnerable | 2026-06-08 05:32:07.880672 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-29448 |
vulnerable | 2026-06-08 05:31:26.381028 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.