Pi-hole has a Reflected XSS / HTML injection in taillog.js

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Pi-Hole Adminlte 安全漏洞

Pi-Hole Adminlte是一个控制面板。用于统计更多数据。 Pi-Hole Adminlte 6.0至6.5之前版本存在安全漏洞，该漏洞源于taillog.js存在反射型DOM跨站脚本，可能导致未经身份验证的攻击者注入任意HTML。

N/A

N/A