{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "5.0" }, { "introduced": "0" }, { "last_affected": "5.1" }, { "introduced": "0" }, { "last_affected": "5.1.1" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "4d25f695267590b61a4061f9bb43448005d99b85" }, { "introduced": "0" }, { "last_affected": "e9b039139c468798fb6d9457e4c9012171faee33" }, { "introduced": "0" }, { "last_affected": "56cd7c4d59ceb629a2170cd1c8ab78ef26366019" } ], "repo": "https://github.com/pi-hole/pi-hole", "type": "GIT" } ] } ], "details": "Pi-hole 5.0, 5.1, and 5.1.1 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.", "id": "CVE-2020-35591", "modified": "2026-03-13T21:53:13.860952446Z", "published": "2021-02-18T20:15:12.290Z", "references": [ { "type": "ADVISORY", "url": "https://discourse.pi-hole.net/c/announcements/5" }, { "type": "EVIDENCE", "url": "https://n4nj0.github.io/advisories/pi-hole-multiple-vulnerabilities-i/" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "type": "CVSS_V3" } ] }