CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41175 – Stored XSS in Client Groups Management (Authenticated)
https://notcve.org/view.php?id=CVE-2021-41175
Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8. La interfaz Web de Pi-hole (basada en AdminLTE) proporciona una ubicación central para administrar el propio Pi-hole y revisar las estadísticas generadas por FTLDNS. En versiones anteriores a 5.8, era posible un ataque de tipo cross-site scripting cuando se agregaba un cliente por medio de la página de administración de grupos-clientes. • https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d https://github.com/pi-hole/AdminLTE/releases/tag/v5.8 https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3812 – Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3812
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') adminlte es vulnerable a una Neutralización Inapropiada de Entradas Durante la Generación de Páginas Web ("Cross-site Scripting") • https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb https://huntr.dev/bounties/875a6885-9a64-46f3-94ad-92f40f989200 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3811 – Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3811
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') adminlte es vulnerable a una Neutralización Inapropiada de la Entrada Durante la Generación de la Página Web ("Cross-site Scripting") • https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb https://huntr.dev/bounties/fa38c61f-4043-4872-bc85-7fe5ae5cc2e8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3706 – Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3706
adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag adminlte es vulnerable a Cookie confidencial sin flag "HttpOnl" • https://github.com/pi-hole/adminlte/commit/cf8602eedd4a31eadb72372fc878c12d342f8600 https://huntr.dev/bounties/ac7fd77b-b31b-4d02-aebd-f89ecbae3fce • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-32793 – Stored XSS Vulnerability in the Pi-hole Webinterface
https://notcve.org/view.php?id=CVE-2021-32793
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the function to add domains to blocklists or allowlists is vulnerable to a stored cross-site-scripting vulnerability. User input added as a wildcard domain to a blocklist or allowlist is unfiltered in the web interface. Since the payload is stored permanently as a wildcard domain, this is a persistent XSS vulnerability. A remote attacker can therefore attack administrative user accounts through client-side attacks. • https://github.com/pi-hole/AdminLTE/releases/tag/v5.5.1 https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-g3w6-q4fg-p8x8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •