CVE-2020-36517
https://notcve.org/view.php?id=CVE-2020-36517
An information leak in Nabu Casa Home Assistant Operating System and Home Assistant Supervised 2022.03 allows a DNS operator to gain knowledge about internal network resources via the hardcoded DNS resolver configuration. Una filtrado de información en Nabu Casa Home Assistant Operating System and Home Assistant Supervised versión 2022.03, permite que un operador de DNS obtenga conocimientos sobre los recursos de la red interna por medio de la configuración del DNS embebida • https://community.home-assistant.io/t/ha-os-dns-setting-configuration-not-respected/356572 https://github.com/home-assistant/plugin-dns/issues/17 https://github.com/home-assistant/plugin-dns/issues/20 https://github.com/home-assistant/plugin-dns/issues/22 https://github.com/home-assistant/plugin-dns/issues/50 https://github.com/home-assistant/plugin-dns/issues/51 https://github.com/home-assistant/plugin-dns/issues/53 https://github.com/home-assistant/plugin-dns/issues/54 https • CWE-203: Observable Discrepancy •
CVE-2021-3152
https://notcve.org/view.php?id=CVE-2021-3152
Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks against custom integrations. NOTE: the vendor's perspective is that the vulnerability itself is in custom integrations written by third parties, not in Home Assistant; however, Home Assistant does have a security update that is worthwhile in addressing this situation ** EN DISPUTADA ** Home Assistant versiones anteriores a 2021.1.3, no presenta una capa de protección que pueda ayudar a impedir ataques de saltos de directorio contra integraciones personalizadas. NOTA: la perspectiva del proveedor es que la vulnerabilidad en sí está en integraciones personalizadas escritas por terceros, no en Home Assistant; sin embargo, Home Assistant presenta una actualización de seguridad que vale la pena para abordar esta situación • https://www.home-assistant.io/blog/2021/01/14/security-bulletin https://www.home-assistant.io/blog/2021/01/22/security-disclosure • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-21019
https://notcve.org/view.php?id=CVE-2018-21019
Home Assistant before 0.67.0 was vulnerable to an information disclosure that allowed an unauthenticated attacker to read the application's error log via components/api.py. Home Assistant versiones anteriores a 0.67.0, era vulnerable a una divulgación de información que permitía a un atacante no autenticado leer el registro de errores de la aplicación por medio del archivo components/api.py. • https://github.com/home-assistant/home-assistant/pull/13836 https://github.com/home-assistant/home-assistant/releases/tag/0.67.0 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-16782
https://notcve.org/view.php?id=CVE-2017-16782
In Home Assistant before 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markdown text, aka XSS. En las versiones anteriores a la 0.57 de Home Assistant, es posible inyectar código JavaScript en una notificación persistente mediante texto Markdown manipulado. Esto también se conoce como Cross-Site Scripting (XSS). • https://github.com/home-assistant/home-assistant-polymer/pull/514 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •