CVE-2021-41175 – CVE-2021-41175 is a cross-site scripting (XSS) ... (How to Fix)

Q: What is the severity of CVE-2021-41175?

CVE-2021-41175 has a CVSS score of 7.3 (HIGH). CVE-2021-41175 is a cross-site scripting (XSS) vulnerability in Pi-hole's web interface that allows attackers to inject malicious scripts when adding clients via the groups-clients management page. This affects Pi-hole administrators who use versions before 5.8. Successful exploitation could lead to session hijacking, credential theft, or unauthorized actions.

📋 TL;DR

CVE-2021-41175 is a cross-site scripting (XSS) vulnerability in Pi-hole's web interface that allows attackers to inject malicious scripts when adding clients via the groups-clients management page. This affects Pi-hole administrators who use versions before 5.8. Successful exploitation could lead to session hijacking, credential theft, or unauthorized actions.

💻 Affected Systems

Products:

Pi-hole AdminLTE Web Interface

Versions: All versions before 5.8

Operating Systems: Linux, Raspberry Pi OS, Docker

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the web interface component; the core Pi-hole DNS functionality remains unaffected.

📦 What is this software?

Web Interface by Pi Hole

View all CVEs affecting Web Interface →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains administrative access to Pi-hole, modifies DNS settings to redirect traffic, steals credentials, or installs malware on administrator devices.

🟠

Likely Case

Session hijacking leading to unauthorized configuration changes, credential theft from administrators, or defacement of the web interface.

🟢

If Mitigated

Limited impact due to network segmentation, proper access controls, and regular patching practices.

🌐 Internet-Facing: MEDIUM - Pi-hole instances exposed to the internet are vulnerable, but exploitation requires an attacker to trick an administrator into interacting with malicious content.

🏢 Internal Only: LOW - Internal-only deployments reduce attack surface, but insider threats or compromised internal systems could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires an authenticated administrator to interact with malicious content, making it a reflected XSS attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.8

Vendor Advisory: https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43

Restart Required: Yes

Instructions:

1. Update Pi-hole using 'pihole -up' command. 2. Verify update to version 5.8 or later. 3. Restart Pi-hole services if not done automatically.

🔧 Temporary Workarounds

Disable Web Interface Access

linux

Temporarily disable access to the Pi-hole web interface until patching can be completed.

sudo systemctl disable lighttpd
sudo systemctl stop lighttpd

Restrict Web Interface Access

linux

Limit web interface access to trusted IP addresses only using firewall rules.

sudo ufw allow from 192.168.1.0/24 to any port 80
sudo ufw allow from 192.168.1.0/24 to any port 443

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to mitigate XSS attacks.
Use browser extensions that block XSS payloads for administrators accessing the interface.

🔍 How to Verify

Check if Vulnerable:

Check AdminLTE version via web interface dashboard or run 'pihole -v' and look for AdminLTE version below 5.8.

Check Version:

pihole -v | grep 'AdminLTE'

Verify Fix Applied:

After update, verify AdminLTE version is 5.8 or higher using 'pihole -v' command.

📡 Detection & Monitoring

Log Indicators:

Unusual client addition requests in Pi-hole logs
Suspicious JavaScript payloads in web server access logs

Network Indicators:

Unexpected outbound connections from Pi-hole server after web interface access

SIEM Query:

source="pi-hole" AND (event="client_added" OR url="*groups-clients*") AND user_agent="*<script>*"

📊 Metadata

CVE ID: CVE-2021-41175

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-79

Published: October 26, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d Patch,Third Party Advisory
https://github.com/pi-hole/AdminLTE/releases/tag/v5.8 Release Notes,Third Party Advisory
https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43 Exploit,Third Party Advisory
https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d Patch,Third Party Advisory
https://github.com/pi-hole/AdminLTE/releases/tag/v5.8 Release Notes,Third Party Advisory
https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41175, you might also want to check these: