CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41175 – Stored XSS in Client Groups Management (Authenticated)
https://notcve.org/view.php?id=CVE-2021-41175
Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8. La interfaz Web de Pi-hole (basada en AdminLTE) proporciona una ubicación central para administrar el propio Pi-hole y revisar las estadísticas generadas por FTLDNS. En versiones anteriores a 5.8, era posible un ataque de tipo cross-site scripting cuando se agregaba un cliente por medio de la página de administración de grupos-clientes. • https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d https://github.com/pi-hole/AdminLTE/releases/tag/v5.8 https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3812 – Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3812
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') adminlte es vulnerable a una Neutralización Inapropiada de Entradas Durante la Generación de Páginas Web ("Cross-site Scripting") • https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb https://huntr.dev/bounties/875a6885-9a64-46f3-94ad-92f40f989200 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3811 – Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3811
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') adminlte es vulnerable a una Neutralización Inapropiada de la Entrada Durante la Generación de la Página Web ("Cross-site Scripting") • https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb https://huntr.dev/bounties/fa38c61f-4043-4872-bc85-7fe5ae5cc2e8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3706 – Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3706
adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag adminlte es vulnerable a Cookie confidencial sin flag "HttpOnl" • https://github.com/pi-hole/adminlte/commit/cf8602eedd4a31eadb72372fc878c12d342f8600 https://huntr.dev/bounties/ac7fd77b-b31b-4d02-aebd-f89ecbae3fce • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2021-29448 – Stored DOM XSS in Pi-hole Admin Web Interface
https://notcve.org/view.php?id=CVE-2021-29448
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details. Pi-hole es una aplicación de bloqueo de anuncios y rastreadores de Internet a nivel de red de Linux. El ataque XSS Almacenado se presenta en el portal de Administración de Pi-hole, que puede ser explotado por el actor malicioso con acceso de red al servidor DNS. • https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •