CVE-2023-41896

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-41896
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41896.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-41896
Related
  • GHSA-935v-rmg9-44mw
  • GHSA-cr83-q7r2-7f5q
Published
2023-10-19T23:15:08Z
Modified
2025-01-08T09:42:43.768824Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected auth_callback=1, which is leveraged by the WebSocket authentication logic in tandem with the state parameter. The state parameter contains the hassUrl, which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alternative WebSocket backend. Henceforth, the attacker can spoof any WebSocket responses and trigger cross site scripting (XSS). Since the XSS is executed on the actual Home Assistant frontend domain, it can connect to the real Home Assistant backend, which essentially represents a comprehensive takeover scenario. Permitting the site to be iframed by other origins, as discussed in GHSA-935v-rmg9-44mw, renders this exploit substantially covert since a malicious website can obfuscate the compromise strategy in the background. However, even without this, the attacker can still send the auth_callback link directly to the victim user. To mitigate this issue, Cure53 advises modifying the WebSocket code’s authentication flow. An optimal implementation in this regard would not trust the hassUrl passed in by a GET parameter. Cure53 must stipulate the significant time required of the Cure53 consultants to identify an XSS vector, despite holding full control over the WebSocket responses. In many areas, data from the WebSocket was properly sanitized, which hinders post-exploitation. The audit team eventually detected the js_url for custom panels, though generally, the frontend exhibited reasonable security hardening. This issue has been addressed in Home Assistant Core version 2023.8.0 and in the npm package home-assistant-js-websocket in version 8.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Git / github.com/home-assistant/home-assistant

Affected ranges

Type
GIT
Repo
https://github.com/home-assistant/home-assistant
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/home-assistant/home-assistant-js-websocket
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.10
0.10.1
0.100.0
0.100.0b0
0.100.0b1
0.100.0b2
0.100.0b3
0.100.1
0.100.2
0.100.3
0.101.0
0.101.0b0
0.101.0b1
0.101.0b2
0.101.0b3
0.101.0b4
0.101.1
0.101.2
0.101.3
0.102.0
0.102.0b0
0.102.0b1
0.102.0b2
0.102.0b3
0.102.1
0.102.2
0.102.3
0.103.0
0.103.0b0
0.103.0b1
0.103.1
0.103.2
0.103.3
0.103.4
0.103.5
0.103.6
0.104.0
0.104.0b0
0.104.0b1
0.104.0b2
0.104.0b3
0.104.0b4
0.104.0b5
0.104.1
0.104.2
0.104.3
0.105.0
0.105.0b0
0.105.0b1
0.105.0b2
0.105.0b3
0.105.0b4
0.105.0b5
0.105.0b6
0.105.0b7
0.105.1
0.105.2
0.105.3
0.105.4
0.105.5
0.106.0
0.106.0b0
0.106.0b1
0.106.0b2
0.106.0b3
0.106.0b4
0.106.0b5
0.106.1
0.106.2
0.106.3
0.106.4
0.106.5
0.106.6
0.107.0
0.107.0b0
0.107.0b1
0.107.0b2
0.107.0b3
0.107.0b4
0.107.0b5
0.107.0b6
0.107.0b7
0.107.0b8
0.107.1
0.107.2
0.107.3
0.107.4
0.107.5
0.107.6
0.107.7
0.108.0
0.108.0b0
0.108.0b1
0.108.0b2
0.108.0b3
0.108.0b4
0.108.0b5
0.108.0b6
0.108.1
0.108.2
0.108.3
0.108.4
0.108.5
0.108.6
0.108.7
0.108.8
0.108.9
0.109.0
0.109.0b0
0.109.0b1
0.109.0b2
0.109.0b3
0.109.0b4
0.109.0b5
0.109.1
0.109.2
0.109.3
0.109.4
0.109.5
0.109.6
0.11
0.11.1
0.110.0
0.110.0b0
0.110.0b1
0.110.0b2
0.110.0b3
0.110.0b4
0.110.0b5
0.110.1
0.110.2
0.110.3
0.110.4
0.110.5
0.110.6
0.110.7
0.111.0
0.111.0b0
0.111.0b1
0.111.0b2
0.111.0b3
0.111.0b4
0.111.0b5
0.111.1
0.111.2
0.111.3
0.111.4
0.112.0
0.112.0b0
0.112.0b1
0.112.0b2
0.112.0b3
0.112.0b4
0.112.1
0.112.2
0.112.3
0.112.4
0.112.5
0.113.0
0.113.0b0
0.113.0b1
0.113.0b2
0.113.0b3
0.113.1
0.113.2
0.113.3
0.114.0
0.114.0b0
0.114.0b1
0.114.0b2
0.114.0b3
0.114.0b4
0.114.1
0.114.2
0.114.3
0.114.4
0.115.0
0.115.0b0
0.115.0b1
0.115.0b10
0.115.0b11
0.115.0b12
0.115.0b2
0.115.0b3
0.115.0b4
0.115.0b5
0.115.0b6
0.115.0b7
0.115.0b8
0.115.0b9
0.115.1
0.115.2
0.115.3
0.115.4
0.115.5
0.115.6
0.116.0
0.116.0b0
0.116.0b1
0.116.0b2
0.116.0b3
0.116.0b4
0.116.0b5
0.116.0b6
0.116.1
0.116.2
0.116.3
0.116.4
0.117.0
0.117.0b0
0.117.0b1
0.117.0b2
0.117.0b3
0.117.0b4
0.117.0b5
0.117.0b6
0.117.1
0.117.2
0.117.3
0.117.4
0.117.5
0.117.6
0.118.0
0.118.0b0
0.118.0b1
0.118.0b2
0.118.0b3
0.118.1
0.118.2
0.118.3
0.118.4
0.118.5
0.12
0.13
0.13.1
0.14
0.14.1
0.14.2
0.15
0.16
0.16.1
0.17
0.17.1
0.17.2
0.17.3
0.18
0.19
0.19.1
0.19.2
0.19.3
0.19.4
0.20
0.20.1
0.20.2
0.20.3
0.21
0.21.1
0.21.2
0.22
0.23
0.23.1
0.24
0.24.1
0.25
0.25.1
0.25.2
0.26
0.26.1
0.26.2
0.26.3
0.27.0
0.27.1
0.27.2
0.28
0.28.1
0.28.2
0.29
0.29.2
0.29.3
0.29.4
0.29.5
0.29.6
0.29.7
0.30
0.30.1
0.30.2
0.31
0.31.1
0.32
0.32.1
0.32.2
0.32.3
0.32.4
0.33
0.33.1
0.33.2
0.33.3
0.33.4
0.34
0.34.1
0.34.2
0.34.3
0.34.4
0.34.5
0.35
0.35.1
0.35.2
0.35.3
0.36
0.36.1
0.37
0.37.1
0.38
0.38.1
0.38.2
0.38.3
0.38.4
0.39
0.39.1
0.39.2
0.39.3
0.40
0.40.1
0.40.2
0.41
0.42
0.42.1
0.42.2
0.42.3
0.42.4
0.43
0.43.1
0.43.2
0.44
0.44.1
0.44.2
0.45
0.45.1
0.46
0.46.1
0.47
0.47.1
0.48
0.48.1
0.49
0.49.1
0.50
0.50.2
0.51
0.51.1
0.51.2
0.52
0.52.1
0.53
0.53.1
0.54
0.55
0.55.1
0.55.2
0.56
0.56.1
0.56.2
0.57
0.57.1
0.57.2
0.57.3
0.58
0.58.1
0.59
0.59.1
0.59.2
0.60
0.60.1
0.61
0.61.1
0.62.0
0.62.1
0.63
0.63.1
0.63.2
0.63.3
0.64.0
0.64.1
0.64.2
0.64.3
0.65.0
0.65.1
0.65.2
0.65.3
0.65.4
0.65.5
0.65.6
0.66.0
0.66.0.b2
0.66.0.beta0
0.66.0.beta1
0.66.0b3
0.66.1
0.66.1b0
0.67.0
0.67.0b0
0.67.0b1
0.67.1
0.68.0
0.68.0b0
0.68.0b1
0.68.0b2
0.68.1
0.69.0
0.69.0b0
0.69.0b1
0.69.0b2
0.69.0b3
0.69.1
0.7
0.7-rc.1
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.70.0
0.70.0b0
0.70.0b1
0.70.0b2
0.70.0b3
0.70.0b4
0.70.0b5
0.70.0b6
0.70.0b7
0.70.1
0.71.0
0.71.0b0
0.71.0b1
0.72.0
0.72.0b0
0.72.0b1
0.72.0b2
0.72.0b4
0.72.0b5
0.72.0b6
0.72.0b7
0.72.0b8
0.72.0b9
0.72.1
0.73.0
0.73.0b0
0.73.0b1
0.73.0b2
0.73.0b3
0.73.0b4
0.73.0b5
0.73.0b6
0.73.1
0.73.2
0.74.0
0.74.0b0
0.74.0b1
0.74.0b2
0.74.0b3
0.74.0b4
0.74.1
0.74.2
0.75.0
0.75.0b0
0.75.0b1
0.75.1
0.75.2
0.75.3
0.76.0
0.76.0b0
0.76.0b1
0.76.0b2
0.76.0b3
0.76.0b4
0.76.0b5
0.76.1
0.76.2
0.77.0
0.77.0b0
0.77.0b1
0.77.0b2
0.77.0b3
0.77.0b4
0.77.1
0.77.2
0.77.3
0.78.0
0.78.0b0
0.78.0b1
0.78.0b2
0.78.0b3
0.78.1
0.78.2
0.78.3
0.79.0
0.79.0b0
0.79.0b1
0.79.0b2
0.79.0b3
0.79.1
0.79.2
0.79.3
0.8
0.80.0
0.80.0b0
0.80.0b1
0.80.0b3
0.80.0b4
0.80.0b5
0.80.1
0.80.2
0.80.3
0.81.0
0.81.0b0
0.81.0b1
0.81.0b2
0.81.1
0.81.2
0.81.4
0.81.5
0.81.6
0.82.0
0.82.0b0
0.82.0b1
0.82.0b2
0.82.0b3
0.82.0b4
0.82.1
0.83.0
0.83.0b0
0.83.0b1
0.83.0b3
0.83.1
0.83.2
0.83.3
0.84.0
0.84.0b0
0.84.0b1
0.84.0b2
0.84.0b3
0.84.0b4
0.84.1
0.84.2
0.84.3
0.84.4
0.84.5
0.84.6
0.85.0
0.85.0b0
0.85.0b1
0.85.1
0.86.0
0.86.0b0
0.86.0b1
0.86.0b2
0.86.0b3
0.86.1
0.86.2
0.86.3
0.86.4
0.87.0
0.87.0b0
0.87.0b1
0.87.0b2
0.87.0b3
0.87.0b4
0.87.0b5
0.87.0b6
0.87.1
0.88.0
0.88.0b0
0.88.0b1
0.88.0b2
0.88.0b3
0.88.0b4
0.88.1
0.88.2
0.89.0
0.89.0b0
0.89.0b1
0.89.0b2
0.89.0b3
0.89.1
0.89.2
0.9
0.9.1
0.90.0
0.90.0b0
0.90.0b1
0.90.0b2
0.90.0b3
0.90.0b4
0.90.0b5
0.90.0b6
0.90.0b7
0.90.1
0.90.2
0.91.0
0.91.0b0
0.91.0b1
0.91.0b2
0.91.0b3
0.91.0b4
0.91.0b5
0.91.1
0.91.2
0.91.3
0.91.4
0.92.0
0.92.0b0
0.92.0b1
0.92.0b2
0.92.0b3
0.92.1
0.92.2
0.93.0
0.93.0b0
0.93.0b1
0.93.0b2
0.93.0b3
0.93.0b4
0.93.1
0.93.2
0.94.0
0.94.0b0
0.94.0b1
0.94.0b2
0.94.0b3
0.94.0b4
0.94.0b5
0.94.0b6
0.94.0b7
0.94.0b8
0.94.1
0.94.2
0.94.3
0.94.4
0.95.0
0.95.0b0
0.95.0b1
0.95.0b2
0.95.0b3
0.95.0b4
0.95.1
0.95.2
0.95.3
0.95.4
0.96.0
0.96.0b0
0.96.0b1
0.96.0b2
0.96.0b3
0.96.0b4
0.96.1
0.96.2
0.96.3
0.96.4
0.96.5
0.97.0
0.97.0b0
0.97.0b1
0.97.0b2
0.97.0b3
0.97.1
0.97.2
0.98.0
0.98.0b0
0.98.0b1
0.98.0b2
0.98.1
0.98.2
0.98.3
0.98.4
0.98.5
0.99.0
0.99.0b0
0.99.0b1
0.99.0b2
0.99.0b3
0.99.0b4
0.99.1
0.99.2
0.99.3

1.*

1.0
1.0.0b0
1.0.0b1
1.0.0b2
1.0.0b3
1.0.0b4
1.0.0b5
1.0.0b6
1.0.1
1.1.0
1.1.2
1.1.4

2.*

2.0.0
2.0.1

2020.*

2020.12.0
2020.12.1
2020.12.2

2021.*

2021.1.0
2021.1.0b0
2021.1.0b1
2021.1.0b2
2021.1.0b3
2021.1.1
2021.1.2
2021.1.3
2021.1.4
2021.1.5
2021.10.0
2021.10.0b0
2021.10.0b1
2021.10.0b2
2021.10.0b3
2021.10.0b4
2021.10.0b5
2021.10.0b6
2021.10.0b7
2021.10.0b8
2021.10.0b9
2021.10.1
2021.10.2
2021.10.3
2021.10.4
2021.10.5
2021.10.6
2021.10.7
2021.11.0
2021.11.0b0
2021.11.0b1
2021.11.0b2
2021.11.0b3
2021.11.0b4
2021.11.0b5
2021.11.1
2021.11.2
2021.11.3
2021.11.4
2021.11.5
2021.12.0
2021.12.0b0
2021.12.0b1
2021.12.0b2
2021.12.0b3
2021.12.0b4
2021.12.0b5
2021.12.0b6
2021.12.0b7
2021.12.1
2021.12.10
2021.12.2
2021.12.3
2021.12.4
2021.12.5
2021.12.6
2021.12.7
2021.12.8
2021.12.9
2021.2.0
2021.2.0b0
2021.2.0b1
2021.2.0b2
2021.2.0b3
2021.2.0b4
2021.2.0b5
2021.2.1
2021.2.2
2021.2.3
2021.3.0
2021.3.0b0
2021.3.0b1
2021.3.0b2
2021.3.0b3
2021.3.0b4
2021.3.0b5
2021.3.0b6
2021.3.0b7
2021.3.1
2021.3.2
2021.3.3
2021.3.4
2021.4.0
2021.4.0b0
2021.4.0b1
2021.4.0b2
2021.4.0b3
2021.4.0b4
2021.4.0b5
2021.4.0b6
2021.4.1
2021.4.2
2021.4.3
2021.4.4
2021.4.5
2021.4.6
2021.5.0
2021.5.0b0
2021.5.0b1
2021.5.0b2
2021.5.0b3
2021.5.0b4
2021.5.0b5
2021.5.0b6
2021.5.0b7
2021.5.0b8
2021.5.1
2021.5.2
2021.5.3
2021.5.4
2021.5.5
2021.6.0
2021.6.0b0
2021.6.0b1
2021.6.0b2
2021.6.0b3
2021.6.0b4
2021.6.0b5
2021.6.1
2021.6.2
2021.6.3
2021.6.4
2021.6.5
2021.6.6
2021.7.0
2021.7.0b0
2021.7.0b1
2021.7.0b2
2021.7.0b3
2021.7.0b4
2021.7.0b5
2021.7.0b6
2021.7.1
2021.7.2
2021.7.3
2021.7.4
2021.8.0
2021.8.0b0
2021.8.0b1
2021.8.0b10
2021.8.0b2
2021.8.0b3
2021.8.0b4
2021.8.0b5
2021.8.0b6
2021.8.0b7
2021.8.0b8
2021.8.0b9
2021.8.1
2021.8.2
2021.8.3
2021.8.4
2021.8.5
2021.8.6
2021.8.7
2021.8.8
2021.9.0
2021.9.0b0
2021.9.0b1
2021.9.0b2
2021.9.0b3
2021.9.0b4
2021.9.0b5
2021.9.0b6
2021.9.0b7
2021.9.1
2021.9.2
2021.9.3
2021.9.4
2021.9.5
2021.9.6
2021.9.7

2022.*

2022.10.0
2022.10.0b0
2022.10.0b1
2022.10.0b2
2022.10.0b3
2022.10.0b4
2022.10.0b5
2022.10.0b6
2022.10.1
2022.10.2
2022.10.3
2022.10.4
2022.10.5
2022.11.0
2022.11.0b0
2022.11.0b1
2022.11.0b2
2022.11.0b3
2022.11.0b4
2022.11.0b5
2022.11.0b6
2022.11.0b7
2022.11.1
2022.11.2
2022.11.3
2022.11.4
2022.11.5
2022.12.0
2022.12.0b0
2022.12.0b1
2022.12.0b2
2022.12.0b3
2022.12.0b4
2022.12.0b5
2022.12.0b6
2022.12.0b7
2022.12.1
2022.12.2
2022.12.3
2022.12.4
2022.12.5
2022.12.6
2022.12.7
2022.12.8
2022.12.9
2022.2.0
2022.2.0b0
2022.2.0b1
2022.2.0b2
2022.2.0b3
2022.2.0b4
2022.2.0b5
2022.2.0b6
2022.2.1
2022.2.2
2022.2.3
2022.2.4
2022.2.5
2022.2.6
2022.2.7
2022.2.8
2022.2.9
2022.3.0
2022.3.0b0
2022.3.0b1
2022.3.0b2
2022.3.0b3
2022.3.0b4
2022.3.0b5
2022.3.0b6
2022.3.1
2022.3.2
2022.3.3
2022.3.4
2022.3.5
2022.3.6
2022.3.7
2022.3.8
2022.4.0
2022.4.0b0
2022.4.0b1
2022.4.0b2
2022.4.0b3
2022.4.0b4
2022.4.0b5
2022.4.0b6
2022.4.1
2022.4.2
2022.4.3
2022.4.4
2022.4.5
2022.4.6
2022.4.7
2022.5.0
2022.5.0b0
2022.5.0b1
2022.5.0b2
2022.5.0b3
2022.5.0b4
2022.5.0b5
2022.5.0b6
2022.5.0b7
2022.5.1
2022.5.2
2022.5.3
2022.5.4
2022.5.5
2022.6.0
2022.6.0b0
2022.6.0b1
2022.6.0b2
2022.6.0b3
2022.6.0b4
2022.6.0b5
2022.6.0b6
2022.6.0b7
2022.6.1
2022.6.2
2022.6.3
2022.6.4
2022.6.5
2022.6.6
2022.6.7
2022.7.0
2022.7.0b0
2022.7.0b1
2022.7.0b2
2022.7.0b3
2022.7.0b4
2022.7.0b5
2022.7.1
2022.7.2
2022.7.3
2022.7.4
2022.7.5
2022.7.6
2022.7.7
2022.8.0
2022.8.0b0
2022.8.0b1
2022.8.0b2
2022.8.0b3
2022.8.0b4
2022.8.0b5
2022.8.0b6
2022.8.0b7
2022.8.1
2022.8.2
2022.8.3
2022.8.4
2022.8.5
2022.8.6
2022.8.7
2022.9.0
2022.9.0b0
2022.9.0b1
2022.9.0b2
2022.9.0b3
2022.9.0b4
2022.9.0b5
2022.9.0b6
2022.9.1
2022.9.2
2022.9.3
2022.9.4
2022.9.5
2022.9.6
2022.9.7

2023.*

2023.1.0
2023.1.0b0
2023.1.0b1
2023.1.0b2
2023.1.0b3
2023.1.0b4
2023.1.0b5
2023.1.1
2023.1.2
2023.1.3
2023.1.4
2023.1.5
2023.1.6
2023.1.7
2023.2.0
2023.2.0b0
2023.2.0b1
2023.2.0b2
2023.2.0b3
2023.2.0b4
2023.2.0b5
2023.2.0b6
2023.2.0b7
2023.2.0b8
2023.2.0b9
2023.2.1
2023.2.2
2023.2.3
2023.2.4
2023.2.5
2023.3.0
2023.3.0b0
2023.3.0b1
2023.3.0b2
2023.3.0b3
2023.3.0b4
2023.3.0b5
2023.3.0b6
2023.3.0b7
2023.3.1
2023.3.2
2023.3.3
2023.3.4
2023.3.5
2023.3.6
2023.4.0
2023.4.0b0
2023.4.0b1
2023.4.0b2
2023.4.0b3
2023.4.0b4
2023.4.0b5
2023.4.0b6
2023.4.0b7
2023.4.1
2023.4.2
2023.4.3
2023.4.4
2023.4.5
2023.4.6
2023.5.0
2023.5.0b0
2023.5.0b1
2023.5.0b2
2023.5.0b3
2023.5.0b4
2023.5.0b5
2023.5.0b6
2023.5.0b7
2023.5.0b8
2023.5.0b9
2023.5.1
2023.5.2
2023.5.3
2023.5.4
2023.6.0
2023.6.0b0
2023.6.0b1
2023.6.0b2
2023.6.0b3
2023.6.0b4
2023.6.0b5
2023.6.0b6
2023.6.1
2023.6.2
2023.6.3
2023.7.0
2023.7.0b0
2023.7.0b1
2023.7.0b2
2023.7.0b3
2023.7.0b4
2023.7.0b5
2023.7.0b6
2023.7.1
2023.7.2
2023.7.3
2023.8.0b0
2023.8.0b1
2023.8.0b2
2023.8.0b3
2023.8.0b4

3.*

3.0.0
3.0.0-rc1
3.0.0-rc2
3.0.0-rc3
3.0.0-rc4
3.0.0-rc5
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.2.0
3.2.1
3.2.2
3.2.4
3.2.5
3.3.0
3.4.0

4.*

4.0.0
4.1.0
4.1.1
4.1.2
4.2.0
4.3.0
4.3.1
4.4.0
4.4.1
4.5.0

5.*

5.0.0
5.1.0
5.1.1
5.1.2
5.10.0
5.11.0
5.11.1
5.11.2
5.11.3
5.12.0
5.2.0
5.2.1
5.2.2
5.2.3
5.3.0
5.4.0
5.4.1
5.5.0
5.6.0
5.7.0
5.8.0
5.8.1
5.9.0

6.*

6.0.0
6.0.1
6.1.0
6.1.1

7.*

7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.1.0

8.*

8.0.0
8.0.1
8.1.0

Other

Last-Python2-release