CVE-2023-41895
Cross-site Scripting via auth_callback login in Home Assistant Core
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the `redirect_uri` and `client_id` parameters. Although the `redirect_uri` validation typically ensures that it matches the `client_id` and the scheme represents either `http` or `https`, Home Assistant will fetch the `client_id` and check for `<link rel="redirect_uri" href="...">` HTML tags on the page. These URLs are not subjected to the same scheme validation and thus allow for arbitrary JavaScript execution on the Home Assistant administration page via usage of `javascript:` scheme URIs. This Cross-site Scripting (XSS) vulnerability can be executed on the Home Assistant frontend domain, which may be used for a full takeover of the Home Assistant account and installation. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Home Assistant es una domótica de código abierto. La página de inicio de sesión de Home Assistant permite a los usuarios utilizar sus credenciales locales de Home Assistant e iniciar sesión en otro sitio web que especifique los parámetros `redirect_uri` y `client_id`. Aunque la validación de `redirect_uri` generalmente garantiza que coincide con `client_id` y el esquema representa `http` o `https`, Home Assistant buscará `client_id` y buscará `` Etiquetas HTML en la página. Estas URL no están sujetas a la misma validación de esquema y, por lo tanto, permiten la ejecución arbitraria de JavaScript en la página de administración de Home Assistant mediante el uso de URI de esquema `javascript:`. Esta vulnerabilidad de Cross-Site Scripting (XSS) se puede ejecutar en el dominio frontend de Home Assistant, que puede usarse para tomar el control completo de la cuenta e instalación de Home Assistant. Este problema se solucionó en la versión 2023.9.0 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2023-09-04 CVE Reserved
- 2023-10-19 CVE Published
- 2024-09-12 CVE Updated
- 2024-09-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv | 2023-10-26 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Home-assistant Search vendor "Home-assistant" | Home-assistant Search vendor "Home-assistant" for product "Home-assistant" | < 2023.9.0 Search vendor "Home-assistant" for product "Home-assistant" and version " < 2023.9.0" | - |
Affected
|