Oxqnd

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.

**Name of the Vulnerable Software and Affected Versions** Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final **Description** Request-line validation can be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created and its URI is subsequently modified using the `setUri()` function. While constructors reject CRLF (Carriage Return Line Feed) and whitespace characters to prevent start-line corruption, `setUri()` does not perform this validation. Consequently, `HttpRequestEncoder` and `RtspEncoder` write the URI into the request line verbatim. If attacker-controlled input is passed to `setUri()`, it enables CRLF injection and the insertion of additional HTTP or RTSP requests. This can lead to HTTP request smuggling, desynchronization on the HTTP side, and request injection on the RTSP side. **Recommendations** Update to version 4.1.133.Final or later. Update to version 4.2.13.Final or later. As a temporary workaround, avoid using the `setUri()` function with attacker-controlled input.

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description The C parser, used by default in most installations, allowed null bytes and control characters within response headers. An attacker could leverage this to send header values that are interpreted unexpectedly due to the presence of control characters. For example, `request.url.origin()` might return a different value than the raw Host header, potentially leading to a security bypass. Recommendations Update to version 3.13.4 or later.

**Name of the Vulnerable Software and Affected Versions** NiceGUI versions prior to 3.0.0 **Description** NiceGUI, a Python-based UI framework, is susceptible to Cross-Site Scripting (XSS) when developers render unescaped user input into the DOM using `ui.html()`. The framework did not enforce HTML or JavaScript sanitization before version 3.0.0, allowing attackers to execute arbitrary JavaScript in a user’s browser if applications directly combine components like `ui.input()` with `ui.html()` or `ui.chat message` with HTML content without proper escaping. The vulnerable code path occurs when user input is rendered verbatim into the page’s DOM via innerHTML. A proof of concept demonstrates that injecting a malicious payload, such as `<img src=x onerror=alert('XSS')>`, triggers a JavaScript alert. The issue affects applications that directly reflect user input via `ui.html()` or `ui.chat message` in HTML mode, potentially leading to client-side code execution, including session hijacking or phishing. **Recommendations** Update to NiceGUI version 3.0.0 or later to resolve this issue.