CVE-2021-32793 MEDIUM

CVE-2021-32793: Stored XSS Vulnerability in the Pi-hole Webinterface

Vendor Pi-Hole
Product AdminLTE
Weakness CWE-79 · XSS
Published August 4, 2021
Last update August 3, 2024

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H

What the vulnerability does

01Description

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the function to add domains to blocklists or allowlists is vulnerable to a stored cross-site-scripting vulnerability. User input added as a wildcard domain to a blocklist or allowlist is unfiltered in the web interface. Since the payload is stored permanently as a wildcard domain, this is a persistent XSS vulnerability. A remote attacker can therefore attack administrative user accounts through client-side attacks. Pi-hole Web Interface version 5.5.1 contains a patch for this vulnerability.

Key dates

02Disclosure timeline

August 4, 2021 CVE published
August 3, 2024 Record updated