The Pi-hole project released a fix on 12/24/2020 in v5.2.2. Shodan reports over 7,500 Pi-hole instances. This could be remotely exploited if these instances permit external DNS queries. Other possibilities may exist if a malformed DNS query is allowed.
No payloads are being published at this time to give users time to patch.
- 12/16/2020 Vulnerability reported to vendor
- 12/18/2020 Vendor acknowledged receipt of report
- 12/22/2020 Discovered a second XSS payload that would fire on the Long-term Queries Page
- 12/23/2020 Mitre assigns CVE-2020-35659
- 12/24/2020 Vendor released fix in v5.2.2