CVE-2021-32793
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H
Summary
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the function to add domains to blocklists or allowlists is vulnerable to a stored cross-site-scripting vulnerability. User input added as a wildcard domain to a blocklist or allowlist is unfiltered in the web interface. Since the payload is stored permanently as a wildcard domain, this is a persistent XSS vulnerability. A remote attacker can therefore attack administrative user accounts through client-side attacks. Pi-hole Web Interface version 5.5.1 contains a patch for this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| pi-hole | AdminLTE | < 5.5.1 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/pi-hole/AdminLTE/releases/tag/v5.5.1
- https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-g3w6-q4fg-p8x8
References
- https://github.com/pi-hole/AdminLTE/releases/tag/v5.5.1
- https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-g3w6-q4fg-p8x8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.