Pi-hole v5.2.1 is vulnerable to a critical stored cross site scripting vulnerability. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator accesses the Query Log or Long-term Query Log pages on the web portal.

The Pi-hole project released a fix on 12/24/2020 in v5.2.2. Shodan reports over 7,500 Pi-hole instances. This could be remotely exploited if these instances permit external DNS queries. Other possibilities may exist if a malformed DNS query is allowed.

No payloads are being published at this time to give users time to patch.

References

Timeline

  • 12/16/2020 Vulnerability reported to vendor
  • 12/18/2020 Vendor acknowledged receipt of report
  • 12/22/2020 Discovered a second XSS payload that would fire on the Long-term Queries Page
  • 12/23/2020 Mitre assigns CVE-2020-35659
  • 12/24/2020 Vendor released fix in v5.2.2