CVE-2020-35591 Information

Description

Pi-hole 5.0 5.1 and 5.1.1 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in the injected cookie becomes valid giving the attacker access to the user’s account through the active session.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Reference

https://n4nj0.github.io/advisories/pi-hole-multiple-vulnerabilities-i/ https://discourse.pi-hole.net/c/announcements/5

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4