TROYANOSYVIRUS
Volver a CVEs

CVE-2023-41897

HIGH
8.8

Descripcion

Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Detalles CVE

Puntuacion CVSS v3.18.8
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado10/19/2023
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0

Productos afectados

home-assistant:home-assistant

Debilidades (CWE)

CWE-1021CWE-1021

Referencias

https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw(security-advisories@github.com)
https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q(security-advisories@github.com)
https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/(security-advisories@github.com)
https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q(af854a3a-2127-422b-91ae-364da2661108)
https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.