Jquery
Monthly
Stored HTML injection in Pi-hole Admin Interface versions 6.0+ allows authenticated attackers to inject arbitrary HTML into the active sessions table via the X-Forwarded-For header, which is unsafely rendered when administrators view the API settings page. Public exploit code exists for this vulnerability, affecting administrators who manage Pi-hole instances. An attacker with valid credentials can exploit this to perform client-side attacks against other administrators viewing the compromised session data.
BuilderEngine 3.5.0 contains a critical unrestricted file upload vulnerability in its elFinder 2.0 integration and jQuery File Upload plugin, allowing unauthenticated attackers to upload and execute arbitrary PHP files on the server, resulting in complete remote code execution (RCE) under the web server process context. The vulnerability is characterized by a CVSS 9.3 score with no authentication or user interaction required, making it immediately exploitable across network boundaries.
Stored HTML injection in Pi-hole Admin Interface versions 6.0+ allows authenticated attackers to inject arbitrary HTML into the active sessions table via the X-Forwarded-For header, which is unsafely rendered when administrators view the API settings page. Public exploit code exists for this vulnerability, affecting administrators who manage Pi-hole instances. An attacker with valid credentials can exploit this to perform client-side attacks against other administrators viewing the compromised session data.
BuilderEngine 3.5.0 contains a critical unrestricted file upload vulnerability in its elFinder 2.0 integration and jQuery File Upload plugin, allowing unauthenticated attackers to upload and execute arbitrary PHP files on the server, resulting in complete remote code execution (RCE) under the web server process context. The vulnerability is characterized by a CVSS 9.3 score with no authentication or user interaction required, making it immediately exploitable across network boundaries.