Pi-hole Admin Interface: Stored HTML Injection in DNS Records Configuration

Summary

Versions of Pi-hole below 6.4 are vulnerable to a security flaw that allows an attacker to inject malicious code into the DNS records table. This could potentially allow an attacker to perform actions on the Pi-hole configuration, but the impact is limited due to Pi-hole's Content Security Policy. Update to version 6.4.1 or later to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
pi-hole	web_interface	<= 6.4.1	–

Original title

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through...

Original description

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through the local DNS records configuration page, which allows an authenticated administrator to inject code that is stored in the Pi-hole configuration and rendered every time the DNS records table is viewed. The populateDataTable() function contains a data variable with the full DNS record value exactly as entered by the user and returned by the API. This value is inserted directly into the data-tag HTML attribute without any escaping or sanitization of special characters. When an attacker supplies a value containing double quotes ("), they can prematurely “close” the data-tag attribute and inject additional HTML attributes into the element. Since Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript, the impact is limited. This issue has been fixed in version 6.4.1.

nvd CVSS3.1 5.4

Vulnerability type

CWE-20 Improper Input Validation

CWE-79 Cross-site Scripting (XSS)

CWE-116