Pi-hole Admin Interface Cross-Site Scripting Vulnerability in Subscribed Lists Management

A cross-site scripting (XSS) vulnerability has been identified in the Pi-hole Admin Interface, affecting versions prior to 6.3. The issue arises in the Address field within the Subscribed Lists group management section, where input is not properly sanitized. This allows authenticated users to inject malicious JavaScript by adding a payload to the Address field when creating or editing a list entry. The vulnerability is triggered when another user navigates to the Tools section and performs a gravity database update, causing the injected script to execute.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the Pi-hole Admin Interface and navigate to the Subscribed Lists management section. Add a new list entry or edit an existing one, inserting a script payload into the Address field. After saving the entry, go to the Tools section and select 'Update Gravity'. This action will trigger the XSS by executing the injected script, such as an alert.

Remediation

Users can update to Pi-hole Admin Interface version 6.3 or later, where this vulnerability has been patched.