Session Fixation Vulnerability in Pi-hole by Pi-hole
CVE-2020-35591

5.4MEDIUM

Key Information:

Vendor: Pi-hole
Status: Pi-hole
Vendor: CVE Published:; 18 February 2021

What is CVE-2020-35591?

The vulnerability identified in Pi-hole versions 5.0, 5.1, and 5.1.1 involves an issue with session management. Users are susceptible to session fixation attacks because the application fails to generate a new session cookie upon user login. This allows an attacker to create and inject a malicious session cookie. Once a victim logs in, the injected cookie is accepted, granting the attacker unauthorized access to the victim's active session, potentially compromising sensitive user information.

References

https://discourse.pi-hole.net/c/announcements/5

x_refsource_MISC

https://n4nj0.github.io/advisories/pi-hole-multiple-vulne...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2021
Vulnerability Reserved
Dec 21, 2020