Pi-hole Admin Interface Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Pi-hole Admin Interface versions through 6.2.1. The issue arises in the 404 error page, which improperly sanitizes the URL path before reflecting it in the class attribute of the body tag. This flaw allows attackers to inject an onload attribute that executes arbitrary JavaScript in the victim's browser when they click the malicious link.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, send a link to a victim that includes a crafted URL path with an onload attribute. When the victim clicks the link, the injected JavaScript code will execute in their browser.

Remediation

Users can update to Pi-hole Admin Interface version 6.3 or later, where this vulnerability has been patched.