T0X1Cx

**Name of the Vulnerable Software and Affected Versions** FTLDNS (pihole-FTL) versions 6.0 through 6.5 **Description** The Pi-hole FTL engine contains a Remote Code Execution (RCE) issue in the DNS CNAME records configuration parameter (`dns.cnameRecords`). An authenticated attacker can inject arbitrary dnsmasq configuration directives through newline characters, leading to command execution on the system. **Recommendations** Update to version 6.6 or later.

Name of the Vulnerable Software and Affected Versions FTLDNS (pihole-FTL) versions 6.0 through 6.5 Description The Pi-hole FTL engine contains a Remote Code Execution (RCE) issue in the DHCP hosts configuration parameter (`dhcp.hosts`). An authenticated attacker can inject arbitrary dnsmasq configuration directives through newline characters, leading to command execution on the system. Recommendations Update to version 6.6 or later.

Name of the Vulnerable Software and Affected Versions FTLDNS (pihole-FTL) versions 6.0 through 6.5 Description The Pi-hole FTL engine contains a Remote Code Execution (RCE) issue in the DHCP lease time configuration parameter (`dhcp.leaseTime`). An authenticated attacker can inject arbitrary dnsmasq configuration directives through newline characters, leading to command execution on the system. Recommendations Update to version 6.6 or later.

Name of the Vulnerable Software and Affected Versions FTLDNS (pihole-FTL) versions 6.0 through 6.5 Description The Pi-hole FTL engine contains a Remote Code Execution (RCE) issue in the DNS host record configuration parameter (`dns.hostRecord`). An authenticated attacker can inject arbitrary dnsmasq configuration directives through newline characters, leading to command execution on the system. Recommendations Update to version 6.6 or later.

**Name of the Vulnerable Software and Affected Versions** util-linux versions prior to 2.41.4 **Description** A Time-of-Check-Time-of-Use (TOCTOU) vulnerability exists in the SUID binary /usr/bin/mount within util-linux. When setting up loop devices, the binary validates a file path with user privileges but re-opens it with root privileges without re-verification. This allows a local user to replace the file with a symbolic link to a root-owned file or device during the race window, leading to unauthorized access to root-protected files and block devices. Exploitation requires a specific /etc/fstab configuration and the SUID bit to be set on /usr/bin/mount. **Recommendations** Update to version 2.41.4 or later.

Name of the Vulnerable Software and Affected Versions FTLDNS (pihole-FTL) versions 6.0 through 6.5 Description The Pi-hole FTL engine contains a Remote Code Execution (RCE) issue in the upstream DNS servers configuration parameter (`dns.upstreams`). An authenticated attacker can inject arbitrary dnsmasq configuration directives through newline characters, leading to command execution on the system. Recommendations Update to version 6.6 or later.

**Name of the Vulnerable Software and Affected Versions** Pi-hole versions 6.0 through 6.4.0 **Description** Pi-hole Admin Interface, a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application, contains a Stored HTML Injection issue in the active sessions table on the API settings page. An attacker with valid credentials can inject arbitrary HTML code that will be rendered in the browser of any administrator who visits the active sessions page. The `rowCallback` function uses the `data.x forwarded for` value, which is directly concatenated into an HTML string and inserted into the Document Object Model (DOM) using jQuery’s `.html()` method. This allows malicious HTML tags within the `X-Forwarded-For` header to be parsed and rendered by the browser. Attackers can use tools like curl, wget, Python requests, Burp Suite, or JavaScript fetch() to send authentication requests with a crafted `X-Forwarded-For` header. The Content Security Policy (CSP) implemented by Pi-hole blocks inline JavaScript, limiting the impact to HTML injection only. **Recommendations** Update Pi-hole to version 6.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Pi-hole versions 6.4 and below **Description** Pi-hole Admin Interface, a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application, is susceptible to stored HTML injection through the local DNS records configuration page. An authenticated administrator can inject code that is stored in the Pi-hole configuration and rendered when the DNS records table is viewed. The `populateDataTable()` function includes a `data` variable containing the full DNS record value, which is directly inserted into the data-tag HTML attribute without proper escaping or sanitization. An attacker can exploit this by supplying a value containing double quotes (") to prematurely close the data-tag attribute and inject additional HTML attributes. The impact is limited due to Pi-hole’s Content Security Policy (CSP) that blocks inline JavaScript. **Recommendations** Update to version 6.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Pi-hole Admin Interface versions prior to 6.3 **Description** The Pi-hole Admin Interface, a web interface for managing the Pi-hole advertisement and internet tracker blocking application, contains a Carriage Return Line Feed (CRLF) injection flaw. When handling requests for files ending with the .lp extension, the application fails to properly sanitize input, allowing attackers to inject carriage return and line feed characters (%0d%0a). This enables manipulation of HTTP response headers and content, potentially leading to session fixation, cache poisoning, and weakening of browser security mechanisms like Content Security Policy or X-XSS-Protection. The vulnerability occurs when a request is made to a file ending with the .lp extension, and the application performs a redirect without proper input sanitization. **Recommendations** Update to version 6.3 or later.

**Name of the Vulnerable Software and Affected Versions** Pi-hole versions prior to 5.18.3 **Description** Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability allows an authenticated user to make internal requests to the server via the `gravity DownloadBlocklistFromUrl()` function. Depending on some circumstances, the vulnerability could lead to remote command execution. **Recommendations** For versions prior to 5.18.3, update to version 5.18.3 to resolve the issue. As a temporary workaround, consider restricting access to the `gravity DownloadBlocklistFromUrl()` function until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Pihole versions prior to 5.18 **Description** A vulnerability has been discovered in Pihole that allows an authenticated user on the platform to read internal server files arbitrarily, and because the application runs from behind, reading files is done as a privileged user. The problem resides in the update through local files. When updating from a file which contains non-domain lines, 5 of the non-domain lines are printed on the screen, so if you provide it with any file on the server which contains non-domain lines it will print them on the screen. **Recommendations** For Pihole versions prior to 5.18, update to version 5.18 to fix the vulnerability. As a temporary workaround, consider restricting access to the update functionality through local files to minimize the risk of exploitation. Avoid using the `Adslists` feature with URLs starting with "file*" until the issue is resolved.