Search criteria
18 vulnerabilities found for web_interface by pi-hole
CVE-2025-59151 (GCVE-0-2025-59151)
Vulnerability from nvd – Published: 2025-10-27 19:42 – Updated: 2025-10-27 20:24
VLAI?
Title
Pi-hole Admin Interface vulnerable to HTTP response header injection via CRLF injection
Summary
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface before 6.3 is vulnerable to Carriage Return Line Feed (CRLF) injection. When a request is made to a file ending with the .lp extension, the application performs a redirect without properly sanitizing the input. An attacker can inject carriage return and line feed characters (%0d%0a) to manipulate both the headers and the content of the HTTP response. This enables the injection of arbitrary HTTP response headers, potentially leading to session fixation, cache poisoning, and the weakening or bypassing of browser-based security mechanisms such as Content Security Policy or X-XSS-Protection. This vulnerability is fixed in 6.3.
Severity ?
8.2 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59151",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T20:23:55.672285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T20:24:05.879Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "web",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c 6.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface before 6.3 is vulnerable to Carriage Return Line Feed (CRLF) injection. When a request is made to a file ending with the .lp extension, the application performs a redirect without properly sanitizing the input. An attacker can inject carriage return and line feed characters (%0d%0a) to manipulate both the headers and the content of the HTTP response. This enables the injection of arbitrary HTTP response headers, potentially leading to session fixation, cache poisoning, and the weakening or bypassing of browser-based security mechanisms such as Content Security Policy or X-XSS-Protection. This vulnerability is fixed in 6.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T19:42:59.596Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/web/security/advisories/GHSA-5v79-p56f-x7c4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/web/security/advisories/GHSA-5v79-p56f-x7c4"
}
],
"source": {
"advisory": "GHSA-5v79-p56f-x7c4",
"discovery": "UNKNOWN"
},
"title": "Pi-hole Admin Interface vulnerable to HTTP response header injection via CRLF injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59151",
"datePublished": "2025-10-27T19:42:59.596Z",
"dateReserved": "2025-09-09T15:23:16.327Z",
"dateUpdated": "2025-10-27T20:24:05.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53533 (GCVE-0-2025-53533)
Vulnerability from nvd – Published: 2025-10-27 19:06 – Updated: 2025-10-27 19:19
VLAI?
Title
Pi-hole Admin Interface vulnerable to cross-site scripting via malformed URL path on 404 error page
Summary
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnerable to reflected cross-site scripting (XSS) via a malformed URL path. The 404 error page includes the requested path in the class attribute of the body tag without proper sanitization or escaping. An attacker can craft a URL containing an onload attribute that will execute arbitrary JavaScript code in the browser when a victim visits the malicious link. If an attacker sends a crafted pi-hole link to a victim and the victim visits it, attacker-controlled JavaScript code is executed in the browser of the victim. This has been patched in version 6.3.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53533",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T19:18:54.834978Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T19:19:08.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "web",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c 6.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnerable to reflected cross-site scripting (XSS) via a malformed URL path. The 404 error page includes the requested path in the class attribute of the body tag without proper sanitization or escaping. An attacker can craft a URL containing an onload attribute that will execute arbitrary JavaScript code in the browser when a victim visits the malicious link. If an attacker sends a crafted pi-hole link to a victim and the victim visits it, attacker-controlled JavaScript code is executed in the browser of the victim. This has been patched in version 6.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T19:06:32.428Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/web/security/advisories/GHSA-w8f8-92rx-4f6w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/web/security/advisories/GHSA-w8f8-92rx-4f6w"
}
],
"source": {
"advisory": "GHSA-w8f8-92rx-4f6w",
"discovery": "UNKNOWN"
},
"title": "Pi-hole Admin Interface vulnerable to cross-site scripting via malformed URL path on 404 error page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53533",
"datePublished": "2025-10-27T19:06:32.428Z",
"dateReserved": "2025-07-02T15:15:11.515Z",
"dateUpdated": "2025-10-27T19:19:08.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32785 (GCVE-0-2025-32785)
Vulnerability from nvd – Published: 2025-10-27 18:44 – Updated: 2025-10-27 19:40
VLAI?
Title
Pi-hole Admin Interface vulnerable to persistent XSS on Subscribed lists group management (Adress Field)
Summary
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions prior to 6.3 are vulnerable to cross-site scripting (XSS) via the Address field in the Subscribed Lists group management section. An authenticated user can inject malicious JavaScript by adding a payload to the Address field when creating or editing a list entry. The vulnerability is triggered when another user navigates to the Tools section and performs a gravity database update. The Address field does not properly sanitize input, allowing special characters and script tags to bypass validation. This has been patched in version 6.3.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32785",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T19:40:23.905723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T19:40:38.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "web",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c 6.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions prior to 6.3 are vulnerable to cross-site scripting (XSS) via the Address field in the Subscribed Lists group management section. An authenticated user can inject malicious JavaScript by adding a payload to the Address field when creating or editing a list entry. The vulnerability is triggered when another user navigates to the Tools section and performs a gravity database update. The Address field does not properly sanitize input, allowing special characters and script tags to bypass validation. This has been patched in version 6.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T18:44:15.658Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/web/security/advisories/GHSA-7w6h-3gwc-qhq5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/web/security/advisories/GHSA-7w6h-3gwc-qhq5"
}
],
"source": {
"advisory": "GHSA-7w6h-3gwc-qhq5",
"discovery": "UNKNOWN"
},
"title": "Pi-hole Admin Interface vulnerable to persistent XSS on Subscribed lists group management (Adress Field)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32785",
"datePublished": "2025-10-27T18:44:15.658Z",
"dateReserved": "2025-04-10T12:51:12.279Z",
"dateUpdated": "2025-10-27T19:40:38.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23614 (GCVE-0-2023-23614)
Vulnerability from nvd – Published: 2023-01-26 10:15 – Updated: 2025-03-10 21:19
VLAI?
Title
Improper session handling of "Remember me for 7 days" functionality
Summary
Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes it possible for an attacker to "pass the hash" to login or reuse a theoretically expired "remember me" cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire after 7 days but its value will remain valid as long as the admin password doesn't change. If a cookie is leaked or compromised it could be used forever as long as the admin password is not changed. An attacker that obtained the password hash via an other attack vector (for example a path traversal vulnerability) could use it to login as the admin by setting the hash as the cookie value without the need to crack it to obtain the admin password (pass the hash). The hash is exposed over the network and in the browser where the cookie is transmitted and stored. This issue is patched in version 5.18.3.
Severity ?
8.8 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-33w4-xf7m-f82m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-33w4-xf7m-f82m"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23614",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:01:04.210772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:19:20.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AdminLTE",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.0, \u003e= 5.18.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole\u00ae\u0027s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as \"Remember me for 7 days\" cookie value makes it possible for an attacker to \"pass the hash\" to login or reuse a theoretically expired \"remember me\" cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire after 7 days but its value will remain valid as long as the admin password doesn\u0027t change. If a cookie is leaked or compromised it could be used forever as long as the admin password is not changed. An attacker that obtained the password hash via an other attack vector (for example a path traversal vulnerability) could use it to login as the admin by setting the hash as the cookie value without the need to crack it to obtain the admin password (pass the hash). The hash is exposed over the network and in the browser where the cookie is transmitted and stored. This issue is patched in version 5.18.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-836",
"description": "CWE-836: Use of Password Hash Instead of Password for Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-26T10:15:21.120Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-33w4-xf7m-f82m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-33w4-xf7m-f82m"
}
],
"source": {
"advisory": "GHSA-33w4-xf7m-f82m",
"discovery": "UNKNOWN"
},
"title": "Improper session handling of \"Remember me for 7 days\" functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23614",
"datePublished": "2023-01-26T10:15:21.120Z",
"dateReserved": "2023-01-16T17:07:46.242Z",
"dateUpdated": "2025-03-10T21:19:20.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41175 (GCVE-0-2021-41175)
Vulnerability from nvd – Published: 2021-10-26 14:10 – Updated: 2024-08-04 02:59
VLAI?
Title
Stored XSS in Client Groups Management (Authenticated)
Summary
Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.690Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pi-hole/AdminLTE/releases/tag/v5.8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "AdminLTE",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c 5.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole\u0027s Web interface (based on AdminLTE) provides a central location to manage one\u0027s Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T14:10:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pi-hole/AdminLTE/releases/tag/v5.8"
}
],
"source": {
"advisory": "GHSA-mhr8-7rvg-8r43",
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Client Groups Management (Authenticated)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41175",
"STATE": "PUBLIC",
"TITLE": "Stored XSS in Client Groups Management (Authenticated)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "AdminLTE",
"version": {
"version_data": [
{
"version_value": "\u003c 5.8"
}
]
}
}
]
},
"vendor_name": "pi-hole"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pi-hole\u0027s Web interface (based on AdminLTE) provides a central location to manage one\u0027s Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43",
"refsource": "CONFIRM",
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43"
},
{
"name": "https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d",
"refsource": "MISC",
"url": "https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d"
},
{
"name": "https://github.com/pi-hole/AdminLTE/releases/tag/v5.8",
"refsource": "MISC",
"url": "https://github.com/pi-hole/AdminLTE/releases/tag/v5.8"
}
]
},
"source": {
"advisory": "GHSA-mhr8-7rvg-8r43",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41175",
"datePublished": "2021-10-26T14:10:12",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3812 (GCVE-0-2021-3812)
Vulnerability from nvd – Published: 2021-09-17 06:15 – Updated: 2024-08-03 17:09
VLAI?
Title
Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
Summary
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Severity ?
6.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pi-hole | pi-hole/adminlte |
Affected:
unspecified , < 5.6
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/875a6885-9a64-46f3-94ad-92f40f989200"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "pi-hole/adminlte",
"vendor": "pi-hole",
"versions": [
{
"lessThan": "5.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-17T06:15:27",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/875a6885-9a64-46f3-94ad-92f40f989200"
}
],
"source": {
"advisory": "875a6885-9a64-46f3-94ad-92f40f989200",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3812",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "pi-hole/adminlte",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.6"
}
]
}
}
]
},
"vendor_name": "pi-hole"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb",
"refsource": "MISC",
"url": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb"
},
{
"name": "https://huntr.dev/bounties/875a6885-9a64-46f3-94ad-92f40f989200",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/875a6885-9a64-46f3-94ad-92f40f989200"
}
]
},
"source": {
"advisory": "875a6885-9a64-46f3-94ad-92f40f989200",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3812",
"datePublished": "2021-09-17T06:15:28",
"dateReserved": "2021-09-17T00:00:00",
"dateUpdated": "2024-08-03T17:09:09.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3811 (GCVE-0-2021-3811)
Vulnerability from nvd – Published: 2021-09-17 06:15 – Updated: 2024-08-03 17:09
VLAI?
Title
Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
Summary
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Severity ?
6.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pi-hole | pi-hole/adminlte |
Affected:
unspecified , < 5.6
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/fa38c61f-4043-4872-bc85-7fe5ae5cc2e8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "pi-hole/adminlte",
"vendor": "pi-hole",
"versions": [
{
"lessThan": "5.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-17T06:15:26",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/fa38c61f-4043-4872-bc85-7fe5ae5cc2e8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb"
}
],
"source": {
"advisory": "fa38c61f-4043-4872-bc85-7fe5ae5cc2e8",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3811",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "pi-hole/adminlte",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.6"
}
]
}
}
]
},
"vendor_name": "pi-hole"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/fa38c61f-4043-4872-bc85-7fe5ae5cc2e8",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/fa38c61f-4043-4872-bc85-7fe5ae5cc2e8"
},
{
"name": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb",
"refsource": "MISC",
"url": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb"
}
]
},
"source": {
"advisory": "fa38c61f-4043-4872-bc85-7fe5ae5cc2e8",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3811",
"datePublished": "2021-09-17T06:15:26",
"dateReserved": "2021-09-17T00:00:00",
"dateUpdated": "2024-08-03T17:09:09.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3706 (GCVE-0-2021-3706)
Vulnerability from nvd – Published: 2021-09-15 06:30 – Updated: 2024-08-03 17:01
VLAI?
Title
Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte
Summary
adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag
Severity ?
7.4 (High)
CWE
- CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pi-hole | pi-hole/adminlte |
Affected:
unspecified , < 5.6
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:07.881Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/ac7fd77b-b31b-4d02-aebd-f89ecbae3fce"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pi-hole/adminlte/commit/cf8602eedd4a31eadb72372fc878c12d342f8600"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "pi-hole/adminlte",
"vendor": "pi-hole",
"versions": [
{
"lessThan": "5.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "adminlte is vulnerable to Sensitive Cookie Without \u0027HttpOnly\u0027 Flag"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004 Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-15T06:30:13",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/ac7fd77b-b31b-4d02-aebd-f89ecbae3fce"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pi-hole/adminlte/commit/cf8602eedd4a31eadb72372fc878c12d342f8600"
}
],
"source": {
"advisory": "ac7fd77b-b31b-4d02-aebd-f89ecbae3fce",
"discovery": "EXTERNAL"
},
"title": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag in pi-hole/adminlte",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3706",
"STATE": "PUBLIC",
"TITLE": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag in pi-hole/adminlte"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "pi-hole/adminlte",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.6"
}
]
}
}
]
},
"vendor_name": "pi-hole"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "adminlte is vulnerable to Sensitive Cookie Without \u0027HttpOnly\u0027 Flag"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1004 Sensitive Cookie Without \u0027HttpOnly\u0027 Flag"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/ac7fd77b-b31b-4d02-aebd-f89ecbae3fce",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/ac7fd77b-b31b-4d02-aebd-f89ecbae3fce"
},
{
"name": "https://github.com/pi-hole/adminlte/commit/cf8602eedd4a31eadb72372fc878c12d342f8600",
"refsource": "MISC",
"url": "https://github.com/pi-hole/adminlte/commit/cf8602eedd4a31eadb72372fc878c12d342f8600"
}
]
},
"source": {
"advisory": "ac7fd77b-b31b-4d02-aebd-f89ecbae3fce",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3706",
"datePublished": "2021-09-15T06:30:13",
"dateReserved": "2021-08-13T00:00:00",
"dateUpdated": "2024-08-03T17:01:07.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29448 (GCVE-0-2021-29448)
Vulnerability from nvd – Published: 2021-04-15 15:25 – Updated: 2024-08-03 22:02
VLAI?
Title
Stored DOM XSS in Pi-hole Admin Web Interface
Summary
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
Severity ?
7.6 (High)
CWE
- CWE-79 - {"CWE-79":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "AdminLTE",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c= 5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-15T15:25:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9"
}
],
"source": {
"advisory": "GHSA-cwwf-93p7-73j9",
"discovery": "UNKNOWN"
},
"title": "Stored DOM XSS in Pi-hole Admin Web Interface",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29448",
"STATE": "PUBLIC",
"TITLE": "Stored DOM XSS in Pi-hole Admin Web Interface"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "AdminLTE",
"version": {
"version_data": [
{
"version_value": "\u003c= 5.4"
}
]
}
}
]
},
"vendor_name": "pi-hole"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9",
"refsource": "CONFIRM",
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9"
}
]
},
"source": {
"advisory": "GHSA-cwwf-93p7-73j9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29448",
"datePublished": "2021-04-15T15:25:14",
"dateReserved": "2021-03-30T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59151 (GCVE-0-2025-59151)
Vulnerability from cvelistv5 – Published: 2025-10-27 19:42 – Updated: 2025-10-27 20:24
VLAI?
Title
Pi-hole Admin Interface vulnerable to HTTP response header injection via CRLF injection
Summary
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface before 6.3 is vulnerable to Carriage Return Line Feed (CRLF) injection. When a request is made to a file ending with the .lp extension, the application performs a redirect without properly sanitizing the input. An attacker can inject carriage return and line feed characters (%0d%0a) to manipulate both the headers and the content of the HTTP response. This enables the injection of arbitrary HTTP response headers, potentially leading to session fixation, cache poisoning, and the weakening or bypassing of browser-based security mechanisms such as Content Security Policy or X-XSS-Protection. This vulnerability is fixed in 6.3.
Severity ?
8.2 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59151",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T20:23:55.672285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T20:24:05.879Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "web",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c 6.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface before 6.3 is vulnerable to Carriage Return Line Feed (CRLF) injection. When a request is made to a file ending with the .lp extension, the application performs a redirect without properly sanitizing the input. An attacker can inject carriage return and line feed characters (%0d%0a) to manipulate both the headers and the content of the HTTP response. This enables the injection of arbitrary HTTP response headers, potentially leading to session fixation, cache poisoning, and the weakening or bypassing of browser-based security mechanisms such as Content Security Policy or X-XSS-Protection. This vulnerability is fixed in 6.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T19:42:59.596Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/web/security/advisories/GHSA-5v79-p56f-x7c4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/web/security/advisories/GHSA-5v79-p56f-x7c4"
}
],
"source": {
"advisory": "GHSA-5v79-p56f-x7c4",
"discovery": "UNKNOWN"
},
"title": "Pi-hole Admin Interface vulnerable to HTTP response header injection via CRLF injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59151",
"datePublished": "2025-10-27T19:42:59.596Z",
"dateReserved": "2025-09-09T15:23:16.327Z",
"dateUpdated": "2025-10-27T20:24:05.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53533 (GCVE-0-2025-53533)
Vulnerability from cvelistv5 – Published: 2025-10-27 19:06 – Updated: 2025-10-27 19:19
VLAI?
Title
Pi-hole Admin Interface vulnerable to cross-site scripting via malformed URL path on 404 error page
Summary
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnerable to reflected cross-site scripting (XSS) via a malformed URL path. The 404 error page includes the requested path in the class attribute of the body tag without proper sanitization or escaping. An attacker can craft a URL containing an onload attribute that will execute arbitrary JavaScript code in the browser when a victim visits the malicious link. If an attacker sends a crafted pi-hole link to a victim and the victim visits it, attacker-controlled JavaScript code is executed in the browser of the victim. This has been patched in version 6.3.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53533",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T19:18:54.834978Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T19:19:08.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "web",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c 6.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnerable to reflected cross-site scripting (XSS) via a malformed URL path. The 404 error page includes the requested path in the class attribute of the body tag without proper sanitization or escaping. An attacker can craft a URL containing an onload attribute that will execute arbitrary JavaScript code in the browser when a victim visits the malicious link. If an attacker sends a crafted pi-hole link to a victim and the victim visits it, attacker-controlled JavaScript code is executed in the browser of the victim. This has been patched in version 6.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T19:06:32.428Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/web/security/advisories/GHSA-w8f8-92rx-4f6w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/web/security/advisories/GHSA-w8f8-92rx-4f6w"
}
],
"source": {
"advisory": "GHSA-w8f8-92rx-4f6w",
"discovery": "UNKNOWN"
},
"title": "Pi-hole Admin Interface vulnerable to cross-site scripting via malformed URL path on 404 error page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53533",
"datePublished": "2025-10-27T19:06:32.428Z",
"dateReserved": "2025-07-02T15:15:11.515Z",
"dateUpdated": "2025-10-27T19:19:08.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32785 (GCVE-0-2025-32785)
Vulnerability from cvelistv5 – Published: 2025-10-27 18:44 – Updated: 2025-10-27 19:40
VLAI?
Title
Pi-hole Admin Interface vulnerable to persistent XSS on Subscribed lists group management (Adress Field)
Summary
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions prior to 6.3 are vulnerable to cross-site scripting (XSS) via the Address field in the Subscribed Lists group management section. An authenticated user can inject malicious JavaScript by adding a payload to the Address field when creating or editing a list entry. The vulnerability is triggered when another user navigates to the Tools section and performs a gravity database update. The Address field does not properly sanitize input, allowing special characters and script tags to bypass validation. This has been patched in version 6.3.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32785",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T19:40:23.905723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T19:40:38.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "web",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c 6.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions prior to 6.3 are vulnerable to cross-site scripting (XSS) via the Address field in the Subscribed Lists group management section. An authenticated user can inject malicious JavaScript by adding a payload to the Address field when creating or editing a list entry. The vulnerability is triggered when another user navigates to the Tools section and performs a gravity database update. The Address field does not properly sanitize input, allowing special characters and script tags to bypass validation. This has been patched in version 6.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T18:44:15.658Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/web/security/advisories/GHSA-7w6h-3gwc-qhq5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/web/security/advisories/GHSA-7w6h-3gwc-qhq5"
}
],
"source": {
"advisory": "GHSA-7w6h-3gwc-qhq5",
"discovery": "UNKNOWN"
},
"title": "Pi-hole Admin Interface vulnerable to persistent XSS on Subscribed lists group management (Adress Field)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32785",
"datePublished": "2025-10-27T18:44:15.658Z",
"dateReserved": "2025-04-10T12:51:12.279Z",
"dateUpdated": "2025-10-27T19:40:38.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23614 (GCVE-0-2023-23614)
Vulnerability from cvelistv5 – Published: 2023-01-26 10:15 – Updated: 2025-03-10 21:19
VLAI?
Title
Improper session handling of "Remember me for 7 days" functionality
Summary
Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes it possible for an attacker to "pass the hash" to login or reuse a theoretically expired "remember me" cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire after 7 days but its value will remain valid as long as the admin password doesn't change. If a cookie is leaked or compromised it could be used forever as long as the admin password is not changed. An attacker that obtained the password hash via an other attack vector (for example a path traversal vulnerability) could use it to login as the admin by setting the hash as the cookie value without the need to crack it to obtain the admin password (pass the hash). The hash is exposed over the network and in the browser where the cookie is transmitted and stored. This issue is patched in version 5.18.3.
Severity ?
8.8 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-33w4-xf7m-f82m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-33w4-xf7m-f82m"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23614",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:01:04.210772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:19:20.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AdminLTE",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.0, \u003e= 5.18.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole\u00ae\u0027s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as \"Remember me for 7 days\" cookie value makes it possible for an attacker to \"pass the hash\" to login or reuse a theoretically expired \"remember me\" cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire after 7 days but its value will remain valid as long as the admin password doesn\u0027t change. If a cookie is leaked or compromised it could be used forever as long as the admin password is not changed. An attacker that obtained the password hash via an other attack vector (for example a path traversal vulnerability) could use it to login as the admin by setting the hash as the cookie value without the need to crack it to obtain the admin password (pass the hash). The hash is exposed over the network and in the browser where the cookie is transmitted and stored. This issue is patched in version 5.18.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-836",
"description": "CWE-836: Use of Password Hash Instead of Password for Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-26T10:15:21.120Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-33w4-xf7m-f82m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-33w4-xf7m-f82m"
}
],
"source": {
"advisory": "GHSA-33w4-xf7m-f82m",
"discovery": "UNKNOWN"
},
"title": "Improper session handling of \"Remember me for 7 days\" functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23614",
"datePublished": "2023-01-26T10:15:21.120Z",
"dateReserved": "2023-01-16T17:07:46.242Z",
"dateUpdated": "2025-03-10T21:19:20.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41175 (GCVE-0-2021-41175)
Vulnerability from cvelistv5 – Published: 2021-10-26 14:10 – Updated: 2024-08-04 02:59
VLAI?
Title
Stored XSS in Client Groups Management (Authenticated)
Summary
Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.690Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pi-hole/AdminLTE/releases/tag/v5.8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "AdminLTE",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c 5.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole\u0027s Web interface (based on AdminLTE) provides a central location to manage one\u0027s Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T14:10:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pi-hole/AdminLTE/releases/tag/v5.8"
}
],
"source": {
"advisory": "GHSA-mhr8-7rvg-8r43",
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Client Groups Management (Authenticated)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41175",
"STATE": "PUBLIC",
"TITLE": "Stored XSS in Client Groups Management (Authenticated)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "AdminLTE",
"version": {
"version_data": [
{
"version_value": "\u003c 5.8"
}
]
}
}
]
},
"vendor_name": "pi-hole"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pi-hole\u0027s Web interface (based on AdminLTE) provides a central location to manage one\u0027s Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43",
"refsource": "CONFIRM",
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43"
},
{
"name": "https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d",
"refsource": "MISC",
"url": "https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d"
},
{
"name": "https://github.com/pi-hole/AdminLTE/releases/tag/v5.8",
"refsource": "MISC",
"url": "https://github.com/pi-hole/AdminLTE/releases/tag/v5.8"
}
]
},
"source": {
"advisory": "GHSA-mhr8-7rvg-8r43",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41175",
"datePublished": "2021-10-26T14:10:12",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3812 (GCVE-0-2021-3812)
Vulnerability from cvelistv5 – Published: 2021-09-17 06:15 – Updated: 2024-08-03 17:09
VLAI?
Title
Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
Summary
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Severity ?
6.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pi-hole | pi-hole/adminlte |
Affected:
unspecified , < 5.6
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/875a6885-9a64-46f3-94ad-92f40f989200"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "pi-hole/adminlte",
"vendor": "pi-hole",
"versions": [
{
"lessThan": "5.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-17T06:15:27",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/875a6885-9a64-46f3-94ad-92f40f989200"
}
],
"source": {
"advisory": "875a6885-9a64-46f3-94ad-92f40f989200",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3812",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "pi-hole/adminlte",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.6"
}
]
}
}
]
},
"vendor_name": "pi-hole"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb",
"refsource": "MISC",
"url": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb"
},
{
"name": "https://huntr.dev/bounties/875a6885-9a64-46f3-94ad-92f40f989200",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/875a6885-9a64-46f3-94ad-92f40f989200"
}
]
},
"source": {
"advisory": "875a6885-9a64-46f3-94ad-92f40f989200",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3812",
"datePublished": "2021-09-17T06:15:28",
"dateReserved": "2021-09-17T00:00:00",
"dateUpdated": "2024-08-03T17:09:09.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3811 (GCVE-0-2021-3811)
Vulnerability from cvelistv5 – Published: 2021-09-17 06:15 – Updated: 2024-08-03 17:09
VLAI?
Title
Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
Summary
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Severity ?
6.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pi-hole | pi-hole/adminlte |
Affected:
unspecified , < 5.6
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/fa38c61f-4043-4872-bc85-7fe5ae5cc2e8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "pi-hole/adminlte",
"vendor": "pi-hole",
"versions": [
{
"lessThan": "5.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-17T06:15:26",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/fa38c61f-4043-4872-bc85-7fe5ae5cc2e8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb"
}
],
"source": {
"advisory": "fa38c61f-4043-4872-bc85-7fe5ae5cc2e8",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3811",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "pi-hole/adminlte",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.6"
}
]
}
}
]
},
"vendor_name": "pi-hole"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/fa38c61f-4043-4872-bc85-7fe5ae5cc2e8",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/fa38c61f-4043-4872-bc85-7fe5ae5cc2e8"
},
{
"name": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb",
"refsource": "MISC",
"url": "https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb"
}
]
},
"source": {
"advisory": "fa38c61f-4043-4872-bc85-7fe5ae5cc2e8",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3811",
"datePublished": "2021-09-17T06:15:26",
"dateReserved": "2021-09-17T00:00:00",
"dateUpdated": "2024-08-03T17:09:09.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3706 (GCVE-0-2021-3706)
Vulnerability from cvelistv5 – Published: 2021-09-15 06:30 – Updated: 2024-08-03 17:01
VLAI?
Title
Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte
Summary
adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag
Severity ?
7.4 (High)
CWE
- CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pi-hole | pi-hole/adminlte |
Affected:
unspecified , < 5.6
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:07.881Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/ac7fd77b-b31b-4d02-aebd-f89ecbae3fce"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pi-hole/adminlte/commit/cf8602eedd4a31eadb72372fc878c12d342f8600"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "pi-hole/adminlte",
"vendor": "pi-hole",
"versions": [
{
"lessThan": "5.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "adminlte is vulnerable to Sensitive Cookie Without \u0027HttpOnly\u0027 Flag"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004 Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-15T06:30:13",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/ac7fd77b-b31b-4d02-aebd-f89ecbae3fce"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pi-hole/adminlte/commit/cf8602eedd4a31eadb72372fc878c12d342f8600"
}
],
"source": {
"advisory": "ac7fd77b-b31b-4d02-aebd-f89ecbae3fce",
"discovery": "EXTERNAL"
},
"title": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag in pi-hole/adminlte",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3706",
"STATE": "PUBLIC",
"TITLE": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag in pi-hole/adminlte"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "pi-hole/adminlte",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.6"
}
]
}
}
]
},
"vendor_name": "pi-hole"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "adminlte is vulnerable to Sensitive Cookie Without \u0027HttpOnly\u0027 Flag"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1004 Sensitive Cookie Without \u0027HttpOnly\u0027 Flag"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/ac7fd77b-b31b-4d02-aebd-f89ecbae3fce",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/ac7fd77b-b31b-4d02-aebd-f89ecbae3fce"
},
{
"name": "https://github.com/pi-hole/adminlte/commit/cf8602eedd4a31eadb72372fc878c12d342f8600",
"refsource": "MISC",
"url": "https://github.com/pi-hole/adminlte/commit/cf8602eedd4a31eadb72372fc878c12d342f8600"
}
]
},
"source": {
"advisory": "ac7fd77b-b31b-4d02-aebd-f89ecbae3fce",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3706",
"datePublished": "2021-09-15T06:30:13",
"dateReserved": "2021-08-13T00:00:00",
"dateUpdated": "2024-08-03T17:01:07.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29448 (GCVE-0-2021-29448)
Vulnerability from cvelistv5 – Published: 2021-04-15 15:25 – Updated: 2024-08-03 22:02
VLAI?
Title
Stored DOM XSS in Pi-hole Admin Web Interface
Summary
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
Severity ?
7.6 (High)
CWE
- CWE-79 - {"CWE-79":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "AdminLTE",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c= 5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-15T15:25:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9"
}
],
"source": {
"advisory": "GHSA-cwwf-93p7-73j9",
"discovery": "UNKNOWN"
},
"title": "Stored DOM XSS in Pi-hole Admin Web Interface",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29448",
"STATE": "PUBLIC",
"TITLE": "Stored DOM XSS in Pi-hole Admin Web Interface"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "AdminLTE",
"version": {
"version_data": [
{
"version_value": "\u003c= 5.4"
}
]
}
}
]
},
"vendor_name": "pi-hole"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9",
"refsource": "CONFIRM",
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9"
}
]
},
"source": {
"advisory": "GHSA-cwwf-93p7-73j9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29448",
"datePublished": "2021-04-15T15:25:14",
"dateReserved": "2021-03-30T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}