Stored XSS Vulnerability in Pi-hole DNS Query Log
CVE-2020-35659

6.1MEDIUM

Key Information:

Vendor

Pi-hole

Status
Pi-hole
Vendor
CVE Published:
24 December 2020

What is CVE-2020-35659?

The DNS query log in Pi-hole prior to version 5.2.2 is susceptible to a stored XSS vulnerability. This flaw allows attackers, who can manipulate DNS queries, to execute arbitrary JavaScript within the administrator's browser when accessing the Query Log or Long-term data Query Log pages. If a malicious actor crafts a specific hostname, the compromised query log may trigger the execution of their JavaScript code, posing a significant security risk to the affected systems.

References

https://github.com/pi-hole/AdminLTE/pull/1665
x_refsource_MISC
https://discourse.pi-hole.net/t/pi-hole-core-web-v5-2-2-a...
x_refsource_CONFIRM
https://blog.mirch.io/2020/12/24/pihole-xss/
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.