CVE-2020-35592

Name of the Vulnerable Software and Affected Versions: Pi-hole versions 5.0 through 5.1.1

Description: The issue allows a remote user to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data, achieving a Reflected Cross-Site Scripting attack against other users and potentially stealing the session cookie. This is done via the Options header to the "admin/" URI.

Recommendations: For versions 5.0 through 5.1.1, consider disabling access to the "admin/" URI until a patch is available to prevent exploitation. Restrict the use of the Options header in the admin/ URI to minimize the risk of Reflected Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.