Pi Hole
CVE-2020-35659
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page.
AnalysisAI
The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page. Affected products include: Pi-Hole. Version information: before 5.2.2.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Pi-hole versions up to 3.3 contain an authenticated command injection via the domain allowlist functionality. When addin
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. Rated high sever
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated medium severity (CVSS 6.
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static l
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. Rated
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rate
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated high severity (CVSS 8.8)
An issue was discovered in Pi-Hole through 5.0. Rated high severity (CVSS 7.8), this vulnerability is low attack complex
Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection
Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dash
The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side softwa
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today