Pi-hole Before 6 Allows Unauthorized Temperature Unit Changes
CVE-2024-44069

7.5HIGH

Key Information:

Vendor: Pi-hole
Status: Pi-hole
Vendor: CVE Published:; 19 August 2024

What is CVE-2024-44069?

An unauthorized access vulnerability in Pi-hole prior to version 6 allows unauthorized users to change the temperature units displayed on the web dashboard through the 'admin/api.php?setTempUnit=' endpoint. Although the vendor does not classify this as a security concern, the reasoning for allowing arbitrary changes by unprivileged users raises questions about potential misuse of this functionality.

References

https://github.com/pi-hole/web/pull/3077

https://www.kiyell.com/The-Harmless-Pihole-Bug/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 19, 2024
Vulnerability Reserved
Aug 19, 2024

CVE-2024-44069 Data

JSON