CVE-2020-14971
Summary
| CVE | CVE-2020-14971 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-06-23 14:15:00 UTC |
| Updated | 2021-07-21 11:39:00 UTC |
| Description | Pi-hole through 5.0 allows code injection in piholedhcp (the Static DHCP Leases section) by modifying Teleporter backup files and then restoring them. This occurs in settings.php. To exploit this, an attacker would request a backup of limited files via teleporter.php. These are placed into a .tar.gz archive. The attacker then modifies the host parameter in dnsmasq.d files, and then compresses and uploads these files again. |
Risk And Classification
Problem Types: CWE-862
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Telspace Systems, The Blog: Pi-hole Code Injection – CVE-2020-14971– Story Time | MISC | blog.telspace.co.za | Third Party Advisory |
| missed one (yes yes this can all be squashed) · pi-hole/AdminLTE@8f6e136 · GitHub | CONFIRM | github.com | Patch, Third Party Advisory |
| make use of utils.escapeHtml on the JS side of things, and html_entit… · pi-hole/AdminLTE@c949516 · GitHub | CONFIRM | github.com | Patch, Third Party Advisory |
| Prevent possible XSS attack vector in the input fields of the group section by PromoFaux · Pull Request #1443 · pi-hole/AdminLTE · GitHub | CONFIRM | github.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.