CVE-2020-35659

MEDIUM

Pi-hole < 5.2.2 - Stored Cross-Site Scripting in DNS Query Log

Title source: llm
STIX 2.1

Description

The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page.

References (3)

Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/pi-hole/AdminLTE/pull/1665
Third Party Advisory x_refsource_misc
https://blog.mirch.io/2020/12/24/pihole-xss/

Scores

CVSS v3 6.1
EPSS 0.0094
EPSS Percentile 56.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
pi-hole/pi-hole < 5.2.2
Published Dec 24, 2020
Tracked Since Feb 18, 2026