CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-50715 – User accounts disclosed to unauthenticated actors on the LAN
https://notcve.org/view.php?id=CVE-2023-50715
Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue. When starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when the request is not authenticated and the request originated locally, meaning on the Home Assistant host local subnet or any other private subnet. The rationale behind this is to make the login more user-friendly and an experience better aligned with other applications that have multiple user-profiles. However, as a result, all accounts are displayed regardless of them having logged in or not and for any device that navigates to the server. • https://github.com/home-assistant/core/commit/dbfc5ea8f96bde6cd165892f5a6a6f9a65731c76 https://github.com/home-assistant/core/security/advisories/GHSA-jqpc-rc7g-vf83 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41893 – Account takeover via auth_callback login in Home Assistant Core
https://notcve.org/view.php?id=CVE-2023-41893
Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. • https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5 https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41894 – Local-only webhooks externally accessible via SniTun in Home Assistant Core
https://notcve.org/view.php?id=CVE-2023-41894
Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/home-assistant/core/security/advisories/GHSA-wx3j-3v2j-rf45 https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant • CWE-669: Incorrect Resource Transfer Between Spheres •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41895 – Cross-site Scripting via auth_callback login in Home Assistant Core
https://notcve.org/view.php?id=CVE-2023-41895
Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the `redirect_uri` and `client_id` parameters. Although the `redirect_uri` validation typically ensures that it matches the `client_id` and the scheme represents either `http` or `https`, Home Assistant will fetch the `client_id` and check for `<link rel="redirect_uri" href="...">` HTML tags on the page. These URLs are not subjected to the same scheme validation and thus allow for arbitrary JavaScript execution on the Home Assistant administration page via usage of `javascript:` scheme URIs. This Cross-site Scripting (XSS) vulnerability can be executed on the Home Assistant frontend domain, which may be used for a full takeover of the Home Assistant account and installation. • https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-41896 – Fake websocket server installation permits full takeover in Home Assistant Core
https://notcve.org/view.php?id=CVE-2023-41896
Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the `hassUrl`, which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alternative WebSocket backend. Henceforth, the attacker can spoof any WebSocket responses and trigger cross site scripting (XSS). • https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q • CWE-345: Insufficient Verification of Data Authenticity •