CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-28247

Medium Severity
SVRS
30/100
CVSSv3
NA/10
EPSS
0.02894/1

CVE-2024-28247 allows authenticated Pi-hole users to read arbitrary internal server files with elevated privileges. This vulnerability arises from improper handling of local file updates within the "Adslists" feature. Specifically, the application inadvertently displays lines from local files containing non-domain data. Though the CVSS score is 0, indicating no impact, the SOCRadar Vulnerability Risk Score (SVRS) of 30 highlights a potential risk due to active exploits available. Exploitation grants unauthorized access to sensitive server information, enabling further malicious activity. This flaw underscores the importance of careful input validation and privilege management, emphasizing the need to update to version 5.18 which addresses the security flaw. While not critical based on SVRS, the presence of an available exploit means that admins should still prioritize patching.

TAGS
In The Wild
Exploit Avaliable
VECTOR STRING
PUBLICATION DATE2024-03-27
LAST MODIFIED2024-03-28

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
T0X1Cx/CVE-2024-28247-Pi-hole-Arbitrary-File-Readhttps://github.com/T0X1Cx/CVE-2024-28247-Pi-hole-Arbitrary-File-Read2024-03-31
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

CVE-2024-28247 | pi-hole up to 5.17.3 information disclosure
vuldb.com2024-05-06
CVE-2024-28247 | pi-hole up to 5.17.3 information disclosure | A vulnerability was found in pi-hole up to 5.17.3. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to information disclosure. The identification of this vulnerability is CVE-2024-28247. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.
cve-2024-28247
domains
vuldb.com
rss

Social Media

No tweets found for this CVE

Affected Software

No affected software found for this CVE

References

ReferenceLink
[email protected]https://github.com/pi-hole/pi-hole/commit/f3af03174e676c20e502a92ed7842159f2fdeb7e
[email protected]https://github.com/pi-hole/pi-hole/security/advisories/GHSA-95g6-7q26-mp9x
GITHUBhttps://github.com/pi-hole/pi-hole/security/advisories/GHSA-95g6-7q26-mp9x

CWE Details

CWE IDCWE NameDescription
CWE-200Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-269Improper Privilege ManagementThe software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence