Pi-hole Admin Interface Stored HTML Injection Vulnerability

A stored HTML injection vulnerability has been identified in the Pi-hole Admin Interface versions 6.0 prior to 6.5. The issue arises in the formatInfo() function within queries.js, where data from upstream DNS responses is rendered into HTML without proper escaping. This flaw allows for the injection of HTML, which could be exploited to deface the user interface or conduct phishing attacks via injected forms. While the injection could be exploited remotely by manipulating DNS responses, it also requires access to the local filesystem to inject malicious data into the Pi-hole database.

Impact

Exploitation of this vulnerability leads to stored HTML injection, affecting the user interface and potentially allowing phishing attacks through injected forms. The injection could be executed remotely by controlling an upstream DNS server, but also requires local filesystem access to manipulate the Pi-hole database.

Reproduction

To reproduce this vulnerability, intercept API responses from the Pi-hole Admin Interface Query Log using a browser proxy or Playwright. Inject unescaped HTML into the upstream or client IP fields, then expand a query row in the Query Log to trigger the HTML injection.

Remediation

Users can update to Pi-hole Admin Interface version 6.5, where this vulnerability has been fixed.