CVE-2020-14971

Name of the Vulnerable Software and Affected Versions Pi-hole through 5.0

Description The issue allows code injection in the Static DHCP Leases section by modifying Teleporter backup files and then restoring them, which occurs in settings.php. An attacker can exploit this by requesting a backup of limited files via teleporter.php, modifying the host parameter in dnsmasq.d files, and then compressing and uploading these files again.

Recommendations For Pi-hole through 5.0, as a temporary workaround, consider restricting access to the Teleporter feature and the Static DHCP Leases section until a patch is available. Avoid using the host parameter in the dnsmasq.d files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.