Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pi-hole has a Stored HTML attribute injection
Vulnerability Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Pi-Hole Adminlte 跨站脚本漏洞
Vulnerability Description
Pi-Hole Adminlte是一个控制面板。用于统计更多数据。 Pi-Hole Adminlte 6.0至6.5之前版本存在跨站脚本漏洞,该漏洞源于配置值直接放入HTML属性未转义,可能导致HTML属性注入。
CVSS Information
N/A
Vulnerability Type
N/A