1 results (0.002 seconds)
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-41896 – Fake websocket server installation permits full takeover in Home Assistant Core
https://notcve.org/view.php?id=CVE-2023-41896
19 Oct 2023 — Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the `hassUrl`, which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alter... • https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw • CWE-345: Insufficient Verification of Data Authenticity •