CVE-2023-41895— Home Assistant 跨站脚本漏洞

Cross-site Scripting via auth_callback login in Home Assistant Core

Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the `redirect_uri` and `client_id` parameters. Although the `redirect_uri` validation typically ensures that it matches the `client_id` and the scheme represents either `http` or `https`, Home Assistant will fetch the `client_id` and check for `<link rel="redirect_uri" href="...">` HTML tags on the page. These URLs are not subjected to the same scheme validation and thus allow for arbitrary JavaScript execution on the Home Assistant administration page via usage of `javascript:` scheme URIs. This Cross-site Scripting (XSS) vulnerability can be executed on the Home Assistant frontend domain, which may be used for a full takeover of the Home Assistant account and installation. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Home Assistant 跨站脚本漏洞

Home Assistant是一套开源的家庭自动化管理系统。该系统主要用于控制家庭自动化设备。 Home assistant 2023.9.0之前版本存在安全漏洞，该漏洞源于login页面存在安全漏洞。攻击者可利用该漏洞使用本地Home assistant凭据登录到指定redirect_uri和client_id参数的另一个网站。

N/A

N/A