CVE-2022-31029 - OpenCVE

AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert("XSS")</script>` in the field marked with "Domain to look for" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pi-hole	Adminlte

Configuration 1 [-]

cpe:2.3:a:pi-hole:adminlte:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509
https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-07-07T21:55:10

Updated: 2024-08-03T07:03:40.234Z

Reserved: 2022-05-18T00:00:00

Link: CVE-2022-31029

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-07-07T22:15:08.643

Modified: 2022-12-23T17:41:44.460

Link: CVE-2022-31029

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "AdminLTE", "vendor": "pi-hole", "versions": [{"status": "affected", "version": "< 5.13"}]}], "descriptions": [{"lang": "en", "value": "AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert(\"XSS\")</script>` in the field marked with \"Domain to look for\" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-07T21:55:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509"}], "source": {"advisory": "GHSA-cfr5-rqm5-9vhp", "discovery": "UNKNOWN"}, "title": "Authenticated XSS in Pi-hole AdminLTE", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31029", "STATE": "PUBLIC", "TITLE": "Authenticated XSS in Pi-hole AdminLTE"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "AdminLTE", "version": {"version_data": [{"version_value": "< 5.13"}]}}]}, "vendor_name": "pi-hole"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert(\"XSS\")</script>` in the field marked with \"Domain to look for\" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp", "refsource": "CONFIRM", "url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp"}, {"name": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509", "refsource": "MISC", "url": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509"}]}, "source": {"advisory": "GHSA-cfr5-rqm5-9vhp", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:03:40.234Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31029", "datePublished": "2022-07-07T21:55:10", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2024-08-03T07:03:40.234Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pi-hole:adminlte:*:*:*:*:*:*:*:*", "matchCriteriaId": "F57CCF82-6E0F-414F-92A9-4AF6C66969E6", "versionEndExcluding": "5.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert(\"XSS\")</script>` in the field marked with \"Domain to look for\" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue."}, {"lang": "es", "value": "AdminLTE es un tablero de control para las estad\u00edsticas y la configuraci\u00f3n. En las versiones afectadas insertar c\u00f3digo como \"(script)alert(\"XSS\")(/script)\" en el campo marcado con \"Domain to look for\" y pulsando (kbd)enter(/kbd) (o haciendo clic en cualquiera de los botones) ejecutar\u00e1 el script. El usuario debe estar conectado para usar esta vulnerabilidad. Normalmente, s\u00f3lo los administradores presentan acceso a pi-hole, lo que minimiza los riesgos. Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema"}], "id": "CVE-2022-31029", "lastModified": "2022-12-23T17:41:44.460", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-07-07T22:15:08.643", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}