The Pi-hole Admin Interface versions 6.0 to before 6.5 contain a cross-site scripting vulnerability due to improper escaping of configuration values placed inside HTML value attributes in settings-advanced.js. A double quote character in any config value breaks out of the attribute context, enabling injection of arbitrary HTML attributes. Although the server's CSP prevents execution of injected JavaScript, the injected attributes can alter the UI appearance, potentially facilitating UI redressing attacks. The vulnerability is primarily exploitable by importing a malicious teleporter backup file that bypasses server-side validation. The issue is resolved in version 6.5 of Pi-hole.

An attacker can inject arbitrary HTML attributes into the Pi-hole web interface by importing a crafted teleporter backup, potentially manipulating the user interface through styling changes. While direct JavaScript execution is blocked by the server's CSP, the altered UI could be used for UI redressing attacks that may mislead users. The confidentiality and integrity impact is low, but there is a potential for limited user interface manipulation. No known exploits are reported in the wild.

This vulnerability is fixed in Pi-hole version 6.5. Users should upgrade to version 6.5 or later to remediate this issue. Since no official patch links or vendor advisories are provided, verify the upgrade path from the official Pi-hole project resources. There is no indication that temporary mitigations or workarounds are available. Patch status is not explicitly confirmed beyond the fix in version 6.5, so users should consult the vendor's official advisory for current remediation guidance.