CVE-2022-23513 MEDIUM

CVE-2022-23513: Pi-Hole/AdminLTE vulnerable due to improper access control in queryads endpoint

Vendor Pi-Hole

Product AdminLTE

Weakness CWE-284

Published December 22, 2022

Last update April 15, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: `/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.

Key dates

02Disclosure timeline

December 22, 2022 CVE published

April 15, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-23513

Related vulnerabilities

CVE-2022-23513: Pi-Hole/AdminLTE vulnerable due to improper access control in queryads endpoint

01Description

02Disclosure timeline

03References

04Related CVE