Fake websocket server installation permits full takeover in Home Assistant Core
CVE-2023-41896

7.1HIGH

Key Information:

Vendor: Home-assistant
Status: Core
Vendor: CVE Published:; 19 October 2023

🔔 Create Home-assistant Vulnerability Alert

What is CVE-2023-41896?

A security flaw has been identified in Home Assistant's WebSocket authentication logic that allows attackers to manipulate the state parameter. By crafting a malicious Home Assistant link, an attacker can redirect the frontend to connect to an unauthorized WebSocket backend, bypassing normal security protocols. This bearer trust in the 'hassUrl' GET parameter can lead to spoofed WebSocket responses, enabling XSS attacks that execute malicious scripts on the frontend domain. As a result, attackers can potentially take over sessions and compromise user data. The issue has been rectified in version 2023.8.0 of Home Assistant Core and in version 8.2.0 of the home-assistant-js-websocket npm package. Users are strongly encouraged to update their installations, as no workarounds exist.

Affected Version(s)

core Home Assistant Core : < 2023.8.0 < Home Assistant Core : 2023.8.0

core home-assistant-js-websocket: < 8.2.0 < home-assistant-js-websocket: 8.2.0

References

https://github.com/home-assistant/core/security/advisorie...

x_refsource_CONFIRM

https://github.com/home-assistant/core/security/advisorie...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 19, 2023
Vulnerability Reserved
Sep 4, 2023