Pi-hole Reflected XSS and Session Fixation Vulnerabilities (CVE-2020-35591/35592)

Vulnerability Key Information TL; DR 1. Reflective Cross-site Scripting: Remote users can inject arbitrary web scripts or HTML to perform reflected cross-site scripting attacks against other users, due to improper definition of the Origin header. 2. Session Fixation: A session fixation vulnerability allows remote attackers to hijack web sessions via the PHPSESSID parameter. Product Information Product Name: Pi-hole Affected Versions: 5.0, 5.1, 5.1.1 Organization Name: Pi-hole, LLC Product Website: [](https://pi-hole.net/) Email: [](mailto:disclosure@pi-hole.net) Vulnerability Disclosure Website: [](https://pi-hole.net/contact/) Vulnerability Details 1. Reflected Cross-site Scripting - Improper Input Neutralization Summary: Remote users can inject arbitrary web scripts or HTML due to insufficient sanitization of user-provided data, enabling cross-site scripting attacks against other users. This attack can steal session cookies. Prerequisites: No special configuration required. CVE and CVSS Score: CVE-2020-35592 Steps and PoC Attackers can craft an HTTP request and send it to a Pi-hole authenticated user. When sent to the Origin header, the data can reflect user input. Affected Endpoints URL: HTTP Parameter: Origin header. 2. Session Fixation - CWE-384 Summary: A session fixation vulnerability allows remote attackers to hijack web sessions via the PHPSESSID parameter. Prerequisites: No special configuration required. CVE and CVSS Score: CVE-2020-35591 Steps and PoC The application does not generate a new session cookie after user login. A malicious user can create a new session cookie value and inject it into the victim. When the victim logs in, the injected cookie becomes active, allowing the attacker to access the user’s account through the active session. Timeline December 15, 2020: First disclosure via email to disclosure@pi-hole.net December 22, 2020: Received confirmation email from product owner December 31, 2020: Attempted collaboration with product owner by proposing code fixes February 16, 2021: Fixed version released, with announcement and acknowledgment in news: [](pi-hole.net/2021/02/16/pi-hole-ftl-v5-7-and-web-v5-4-released/) February 26, 2021: NVD assigned CVSS score 5.4 (Medium) to CVE-2020-35591 and CVE-2020-35592.

Goal Reached Thanks to every supporter — we hit 100%!

Pi-hole Reflected XSS and Session Fixation Vulnerabilities (CVE-2020-35591/35592)