Filtered by vendor Pi-hole
Subscribe
Search
Total
7 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41175 | 1 Pi-hole | 1 Web Interface | 2021-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8. | |||||
| CVE-2021-3811 | 1 Pi-hole | 1 Web Interface | 2021-09-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-3812 | 1 Pi-hole | 1 Web Interface | 2021-09-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-32793 | 1 Pi-hole | 1 Pi-hole | 2021-08-12 | 3.5 LOW | 4.8 MEDIUM |
| Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the function to add domains to blocklists or allowlists is vulnerable to a stored cross-site-scripting vulnerability. User input added as a wildcard domain to a blocklist or allowlist is unfiltered in the web interface. Since the payload is stored permanently as a wildcard domain, this is a persistent XSS vulnerability. A remote attacker can therefore attack administrative user accounts through client-side attacks. Pi-hole Web Interface version 5.5.1 contains a patch for this vulnerability. | |||||
| CVE-2020-35591 | 1 Pi-hole | 1 Pi-hole | 2021-02-26 | 5.8 MEDIUM | 5.4 MEDIUM |
| Pi-hole 5.0, 5.1, and 5.1.1 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session. | |||||
| CVE-2020-35592 | 1 Pi-hole | 1 Pi-hole | 2021-02-24 | 3.5 LOW | 5.4 MEDIUM |
| Pi-hole 5.0, 5.1, and 5.1.1 allows XSS via the Options header to the admin/ URI. A remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against other users and steal the session cookie. | |||||
| CVE-2020-35659 | 1 Pi-hole | 1 Pi-hole | 2020-12-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page. | |||||