Lack of XFO header allows clickjacking in Home Assistant Core
CVE-2023-41897

8.8HIGH

Key Information:

Vendor

Home-assistant

Status
Core
Vendor
CVE Published:
19 October 2023

What is CVE-2023-41897?

Home Assistant, an open-source home automation platform, has a security vulnerability due to the lack of essential HTTP security headers, including the X-Frame-Options header. This omission may enable clickjacking attacks, allowing malicious actors to deceive users into interacting with external content, potentially leading to the installation of harmful add-ons without user consent. This could trigger Remote Code Execution (RCE) within the application. It is crucial for users to upgrade to version 2023.9.0 or later to mitigate this risk, as no workarounds are currently available.

Affected Version(s)

core < 2023.9.0

References

https://github.com/home-assistant/core/security/advisorie...
x_refsource_CONFIRM
https://github.com/home-assistant/core/security/advisorie...
x_refsource_MISC
https://www.home-assistant.io/blog/2023/10/19/security-au...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.