CVE-2023-41896 – Fake websocket server installation permits full takeover in Home Assistant Core
https://notcve.org/view.php?id=CVE-2023-41896
Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the `hassUrl`, which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alternative WebSocket backend. Henceforth, the attacker can spoof any WebSocket responses and trigger cross site scripting (XSS). • https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q • CWE-345: Insufficient Verification of Data Authenticity •