Web Interface
CVE-2021-41175
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8.
AnalysisAI
Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8. Affected products include: Pi-Hole Web Interface. Version information: version 5.8.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Web Interface
View allPi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Rated high severity
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated high severity (CVSS 8.8)
adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag. Rated high severity (CVSS 7.5), this vulnerability i
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me
Stored HTML injection in Pi-hole Admin Interface versions 6.0+ allows authenticated attackers to inject arbitrary HTML i
Reflected DOM-based XSS in Pi-hole Admin Interface versions 6.0 through 6.4 allows unauthenticated attackers to inject a
EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the
Pi-hole Admin Interface versions 6.4 and below allow authenticated administrators to inject stored HTML code through imp
Stored cross-site scripting (XSS) via HTML attribute injection in Pi-hole Admin Interface versions 6.0 through 6.4 allow
EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the
EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today