CVE-2024-27287

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-27287
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-27287.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-27287
Aliases
Related
Published
2024-03-06T19:15:07Z
Modified
2025-01-08T15:55:54.529035Z
Summary
[none]
Details

ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with Content-Type: text/html; charset=UTF-8, allowing a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS vulnerability, the victim must visit the page/edit?configuration=[xss file]. Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards. In addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values. Version 2024.2.2 contains a patch for this issue.

References

Affected packages

Git / github.com/esphome/esphome

Affected ranges

Type
GIT
Repo
https://github.com/esphome/esphome
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
37d2b3c7977a4ccbec59726ca7549cb776661455
Fixed
37d2b3c7977a4ccbec59726ca7549cb776661455

Affected versions

2021.*

2021.10.0
2021.10.0b1
2021.10.0b10
2021.10.0b11
2021.10.0b2
2021.10.0b3
2021.10.0b4
2021.10.0b5
2021.10.0b6
2021.10.0b7
2021.10.0b8
2021.10.0b9
2021.10.1
2021.10.2
2021.10.3
2021.11.0
2021.11.0b1
2021.11.0b2
2021.11.0b3
2021.11.0b4
2021.11.0b5
2021.11.0b6
2021.11.0b7
2021.11.0b8
2021.11.0b9
2021.11.1
2021.11.2
2021.11.3
2021.11.4
2021.12.0
2021.12.0b1
2021.12.0b2
2021.12.0b3
2021.12.0b4
2021.12.0b5
2021.12.0b6
2021.12.1
2021.12.2
2021.12.3
2021.8.0
2021.8.1
2021.8.2
2021.9.0
2021.9.0b1
2021.9.0b2
2021.9.0b3
2021.9.0b4
2021.9.0b5
2021.9.1
2021.9.2
2021.9.3

2022.*

2022.1.0
2022.1.0b1
2022.1.0b2
2022.1.0b3
2022.1.0b4
2022.1.1
2022.1.2
2022.1.3
2022.1.4
2022.10.0
2022.10.0b1
2022.10.0b2
2022.10.1
2022.10.2
2022.11.0
2022.11.0b1
2022.11.0b2
2022.11.0b3
2022.11.0b4
2022.11.0b5
2022.11.0b6
2022.11.1
2022.11.2
2022.11.3
2022.11.4
2022.11.5
2022.12.0
2022.12.0b1
2022.12.0b2
2022.12.0b3
2022.12.0b4
2022.12.0b5
2022.12.0b6
2022.12.1
2022.12.2
2022.12.3
2022.12.4
2022.12.5
2022.12.6
2022.12.7
2022.12.8
2022.2.0
2022.2.0b1
2022.2.0b2
2022.2.0b3
2022.2.1
2022.2.2
2022.2.3
2022.2.4
2022.2.5
2022.2.6
2022.3.0
2022.3.0b1
2022.3.0b2
2022.3.1
2022.3.2
2022.4.0
2022.4.0b1
2022.4.0b2
2022.4.0b3
2022.4.0b4
2022.5.0
2022.5.0b1
2022.5.0b2
2022.5.0b3
2022.5.0b4
2022.5.1
2022.6.0
2022.6.0b1
2022.6.0b2
2022.6.0b3
2022.6.0b4
2022.6.1
2022.6.2
2022.6.3
2022.8.0
2022.8.0b1
2022.8.0b2
2022.8.0b3
2022.8.1
2022.8.2
2022.8.3
2022.9.0
2022.9.0b1
2022.9.0b2
2022.9.0b3
2022.9.0b4
2022.9.0b5
2022.9.1
2022.9.2
2022.9.3
2022.9.4

2023.*

2023.10.0
2023.10.0b1
2023.10.0b2
2023.10.0b3
2023.10.0b4
2023.10.1
2023.10.2
2023.10.3
2023.10.4
2023.10.5
2023.10.6
2023.11.0
2023.11.0b1
2023.11.0b2
2023.11.0b3
2023.11.0b4
2023.11.0b5
2023.11.0b6
2023.11.0b7
2023.11.1
2023.11.2
2023.11.3
2023.11.4
2023.11.5
2023.11.6
2023.12.0
2023.12.0b1
2023.12.0b2
2023.12.0b3
2023.12.0b4
2023.12.0b5
2023.12.0b6
2023.12.1
2023.12.2
2023.12.3
2023.12.4
2023.12.5
2023.12.6
2023.12.7
2023.12.8
2023.12.9
2023.2.0
2023.2.0b1
2023.2.0b2
2023.2.0b3
2023.2.0b4
2023.2.0b5
2023.2.1
2023.2.2
2023.2.3
2023.2.4
2023.3.0
2023.3.0b1
2023.3.0b2
2023.3.0b3
2023.3.0b4
2023.3.0b5
2023.3.0b6
2023.3.1
2023.3.2
2023.4.0
2023.4.0b1
2023.4.0b2
2023.4.0b3
2023.4.0b4
2023.4.1
2023.4.2
2023.4.3
2023.4.4
2023.5.0
2023.5.0b1
2023.5.0b2
2023.5.0b3
2023.5.0b4
2023.5.0b5
2023.5.1
2023.5.2
2023.5.3
2023.5.4
2023.5.5
2023.6.0
2023.6.0b1
2023.6.0b2
2023.6.0b3
2023.6.0b4
2023.6.0b5
2023.6.0b6
2023.6.0b7
2023.6.1
2023.6.2
2023.6.3
2023.6.4
2023.6.5
2023.7.0
2023.7.0b1
2023.7.0b2
2023.7.0b3
2023.7.1
2023.8.0
2023.8.0b1
2023.8.0b2
2023.8.0b3
2023.8.0b4
2023.8.1
2023.8.2
2023.8.3
2023.9.0
2023.9.0b1
2023.9.0b2
2023.9.0b3
2023.9.0b4
2023.9.1
2023.9.2
2023.9.3

2024.*

2024.2.0
2024.2.0b1
2024.2.0b2
2024.2.0b3
2024.2.1

v1.*

v1.1
v1.10.0
v1.10.0b1
v1.10.0b2
v1.10.1
v1.11.0
v1.11.0b1
v1.11.0b2
v1.11.0b3
v1.11.1
v1.11.2
v1.12.0
v1.12.0b1
v1.12.0b2
v1.12.0b3
v1.12.0b4
v1.12.1
v1.12.2
v1.13.0
v1.13.0b1
v1.13.0b2
v1.13.0b3
v1.13.0b4
v1.13.0b5
v1.13.0b6
v1.13.0b7
v1.13.1
v1.13.2
v1.13.3
v1.13.4
v1.13.5
v1.13.6
v1.14.0
v1.14.0b1
v1.14.0b2
v1.14.0b3
v1.14.0b4
v1.14.0b5
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v1.14.5
v1.15.0
v1.15.0b1
v1.15.0b2
v1.15.0b3
v1.15.0b4
v1.15.1
v1.15.2
v1.15.3
v1.16.0
v1.16.0b1
v1.16.0b2
v1.16.0b3
v1.16.0b4
v1.16.0b5
v1.16.0b6
v1.16.0b7
v1.16.0b8
v1.16.1
v1.16.2
v1.17.0
v1.17.0b1
v1.17.1
v1.17.2
v1.18.0
v1.18.0b1
v1.18.0b2
v1.18.0b3
v1.18.0b4
v1.19.0
v1.19.0b1
v1.19.0b2
v1.19.0b3
v1.19.0b4
v1.19.0b5
v1.19.0b6
v1.19.0b7
v1.19.1
v1.19.2
v1.19.3
v1.19.4
v1.2.1
v1.2.2
v1.20.0
v1.20.0b1
v1.20.0b2
v1.20.0b3
v1.20.0b4
v1.20.0b5
v1.20.0b6
v1.20.1
v1.20.2
v1.20.3
v1.20.4
v1.21.0b1
v1.21.0b2
v1.21.0b3
v1.3.0
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.8.0
v1.8.1
v1.8.2
v1.9.0
v1.9.0b1
v1.9.0b3
v1.9.0b4
v1.9.0b5
v1.9.0b6
v1.9.2
v1.9.3