CVE-2021-32793

Name of the Vulnerable Software and Affected Versions Pi-hole Web Interface versions prior to 5.5.1

Description The Pi-hole Web interface has a stored cross-site-scripting vulnerability in the function to add domains to blocklists or allowlists. This vulnerability exists because user input added as a wildcard domain to a blocklist or allowlist is unfiltered in the web interface, allowing for a persistent XSS vulnerability. A remote attacker can attack administrative user accounts through client-side attacks.

Recommendations For versions prior to 5.5.1, update to Pi-hole Web Interface version 5.5.1 to resolve the issue. As a temporary workaround, consider restricting access to the blocklist and allowlist functions until the update is applied. Avoid using unfiltered user input as wildcard domains in blocklists or allowlists until the issue is resolved.