CVE-2022-31029 - Vulnerability Details - OpenCVE

AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert("XSS")</script>` in the field marked with "Domain to look for" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Pi-hole	Adminlte

Configuration 1 [-]

cpe:2.3:a:pi-hole:adminlte:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509
https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp

History

Wed, 23 Apr 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-07-07T21:55:10.000Z

Updated: 2025-04-23T18:03:57.709Z

Reserved: 2022-05-18T00:00:00.000Z

Link: CVE-2022-31029

Vulnrichment

Updated: 2024-08-03T07:03:40.234Z

NVD

Status : Modified

Published: 2022-07-07T22:15:08.643

Modified: 2024-11-21T07:03:44.757

Link: CVE-2022-31029

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "AdminLTE", "vendor": "pi-hole", "versions": [{"status": "affected", "version": "< 5.13"}]}], "descriptions": [{"lang": "en", "value": "AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert(\"XSS\")</script>` in the field marked with \"Domain to look for\" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-07T21:55:10.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509"}], "source": {"advisory": "GHSA-cfr5-rqm5-9vhp", "discovery": "UNKNOWN"}, "title": "Authenticated XSS in Pi-hole AdminLTE", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31029", "STATE": "PUBLIC", "TITLE": "Authenticated XSS in Pi-hole AdminLTE"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "AdminLTE", "version": {"version_data": [{"version_value": "< 5.13"}]}}]}, "vendor_name": "pi-hole"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert(\"XSS\")</script>` in the field marked with \"Domain to look for\" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp", "refsource": "CONFIRM", "url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp"}, {"name": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509", "refsource": "MISC", "url": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509"}]}, "source": {"advisory": "GHSA-cfr5-rqm5-9vhp", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:03:40.234Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T14:03:46.915569Z", "id": "CVE-2022-31029", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T18:03:57.709Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31029", "datePublished": "2022-07-07T21:55:10.000Z", "dateReserved": "2022-05-18T00:00:00.000Z", "dateUpdated": "2025-04-23T18:03:57.709Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:03:40.234Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-31029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T14:03:46.915569Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T14:03:48.834Z"}}], "cna": {"title": "Authenticated XSS in Pi-hole AdminLTE", "source": {"advisory": "GHSA-cfr5-rqm5-9vhp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "pi-hole", "product": "AdminLTE", "versions": [{"status": "affected", "version": "< 5.13"}]}], "references": [{"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert(\"XSS\")</script>` in the field marked with \"Domain to look for\" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-07-07T21:55:10.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, "source": {"advisory": "GHSA-cfr5-rqm5-9vhp", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "< 5.13"}]}, "product_name": "AdminLTE"}]}, "vendor_name": "pi-hole"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp", "name": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp", "refsource": "CONFIRM"}, {"url": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509", "name": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert(\"XSS\")</script>` in the field marked with \"Domain to look for\" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-31029", "STATE": "PUBLIC", "TITLE": "Authenticated XSS in Pi-hole AdminLTE", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-31029", "state": "PUBLISHED", "dateUpdated": "2025-04-23T18:03:57.709Z", "dateReserved": "2022-05-18T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-07-07T21:55:10.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pi-hole:adminlte:*:*:*:*:*:*:*:*", "matchCriteriaId": "F57CCF82-6E0F-414F-92A9-4AF6C66969E6", "versionEndExcluding": "5.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert(\"XSS\")</script>` in the field marked with \"Domain to look for\" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue."}, {"lang": "es", "value": "AdminLTE es un tablero de control para las estad\u00edsticas y la configuraci\u00f3n. En las versiones afectadas insertar c\u00f3digo como \"(script)alert(\"XSS\")(/script)\" en el campo marcado con \"Domain to look for\" y pulsando (kbd)enter(/kbd) (o haciendo clic en cualquiera de los botones) ejecutar\u00e1 el script. El usuario debe estar conectado para usar esta vulnerabilidad. Normalmente, s\u00f3lo los administradores presentan acceso a pi-hole, lo que minimiza los riesgos. Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema"}], "id": "CVE-2022-31029", "lastModified": "2024-11-21T07:03:44.757", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-07T22:15:08.643", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cfr5-rqm5-9vhp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}