Promofaux

**Name of the Vulnerable Software and Affected Versions** Pi-hole versions prior to 5.2.2 **Description** The DNS query log in Pi-hole is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page. **Recommendations** For versions prior to 5.2.2, update to version 5.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Query Log and Long-term data Query Log pages until a patch is applied.