Cross-site Scripting via auth_callback login in Home Assistant Core
CVE-2023-41895

8.8HIGH

Key Information:

Vendor: Home-assistant
Status: Core
Vendor: CVE Published:; 19 October 2023

🔔 Create Home-assistant Vulnerability Alert

What is CVE-2023-41895?

Home Assistant, an open source home automation platform, has a Cross-Site Scripting (XSS) vulnerability that arises when the login page allows users to log in using their local credentials on third-party websites. The vulnerability stems from insufficient validation of the redirect_uri parameter, particularly when javascript: scheme URIs are used. This leads to arbitrary JavaScript execution on the Home Assistant administration page, potentially allowing attackers to take over accounts and installations. The issue is resolved in version 2023.9.0, and users are strongly encouraged to upgrade to ensure their systems remain secure. No workarounds are available.

Affected Version(s)

core < 2023.9.0

References

https://github.com/home-assistant/core/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 19, 2023
Vulnerability Reserved
Sep 4, 2023

JSON