Secure CometVisu Add-on for openHAB Against SSRF and XSS Vulnerabilities
CVE-2024-42467

10CRITICAL

Key Information:

Vendor: Openhab
Status: Openhab-webui
Vendor: CVE Published:; 12 August 2024

What is CVE-2024-42467?

The openHAB CometVisu add-on, utilized in home automation systems, contains a critical security flaw allowing unrestricted access to its proxy endpoint prior to version 4.2.1. This vulnerability can be leveraged to execute Server-Side Request Forgery (SSRF), enabling attackers to send GET HTTP requests to internal servers from a compromised openHAB environment exposed to the public internet. Additionally, it opens avenues for Cross-Site Scripting (XSS) attacks, where the attacker can manipulate requests to direct malicious JavaScript code back to the user's browser, executed with the context of the CometVisu UI. This combination of vulnerabilities could potentially lead to Remote Code Execution (RCE) if exploited in conjunction with other security weaknesses. Users are strongly recommended to upgrade to the latest version of the CometVisu add-on to prevent these security risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch