CVE-2023-41895— Cross-site Scripting via auth_callback login in Home Assistant Core
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-41895
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cross-site Scripting via auth_callback login in Home Assistant Core
Source: NVD (National Vulnerability Database)
Vulnerability Description
Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the `redirect_uri` and `client_id` parameters. Although the `redirect_uri` validation typically ensures that it matches the `client_id` and the scheme represents either `http` or `https`, Home Assistant will fetch the `client_id` and check for `<link rel="redirect_uri" href="...">` HTML tags on the page. These URLs are not subjected to the same scheme validation and thus allow for arbitrary JavaScript execution on the Home Assistant administration page via usage of `javascript:` scheme URIs. This Cross-site Scripting (XSS) vulnerability can be executed on the Home Assistant frontend domain, which may be used for a full takeover of the Home Assistant account and installation. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Home Assistant 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Home Assistant是一套开源的家庭自动化管理系统。该系统主要用于控制家庭自动化设备。 Home assistant 2023.9.0之前版本存在安全漏洞,该漏洞源于login页面存在安全漏洞。攻击者可利用该漏洞使用本地Home assistant凭据登录到指定redirect_uri和client_id参数的另一个网站。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| home-assistant | core | < 2023.9.0 | - |
II. Public POCs for CVE-2023-41895
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-41895
请登录查看更多情报信息。
Vendor Advisories for CVE-2023-41895 (1)
Same Patch Batch · home-assistant · 2023-10-19 · 8 CVEs total
| CVE-2023-41897 | 8.8 HIGH | Lack of XFO header allows clickjacking in Home Assistant Core |
| CVE-2023-44385 | 8.6 HIGH | Client-Side Request Forgery in Home Assistant iOS/macOS native Apps |
| CVE-2023-41898 | 8.6 HIGH | Arbitrary URL load in Android WebView in `MyActivity.kt` in Home Assistant Companion for |
| CVE-2023-41896 | 7.1 HIGH | Fake websocket server installation permits full takeover in Home Assistant Core |
| CVE-2023-41899 | 6.6 MEDIUM | Partial Server-Side Request Forgery in Home Assistant Core |
| CVE-2023-41894 | 5.3 MEDIUM | Local-only webhooks externally accessible via SniTun in Home Assistant Core |
| CVE-2023-41893 | 4.3 MEDIUM | Account takeover via auth_callback login in Home Assistant Core |
IV. Related Vulnerabilities
Same product: core
- CVE-2026-45158
OPNsense: Command Injection via Attacker-Controlled DHCP Con - CVE-2026-44194
OPNsense: RCE on user managment - CVE-2026-44195
OPNsense: Authentication lockout bypass - CVE-2026-44193
OPNsense: RCE via XMLRPC endpoint using `opnsense.restore_co - CVE-2026-42552
Flight: Sensitive information disclosure via default error h
Same vendor: home-assistant
- CVE-2021-47942
Home Assistant Community Store 1.10.0 Path Traversal Account - CVE-2026-34205
Home Assistant: Unauthenticated App (Add-on) Endpoints Expos - CVE-2026-33045
Home Assistant has stored XSS in history-graphs - CVE-2026-33044
Home Assistant has stored XSS in Map-card through malicious - CVE-2025-62172
Home Assistant vulnerable to Stored XSS in Energy dashboard
Same weakness: CWE-79
- CVE-2026-44729
Twenty: Stored Cross-Site Scripting via Unsanitized File Ser - CVE-2026-48903
Joomla! Framework - [20260519] - Inadequate content filterin - CVE-2026-48905
Joomla! Framework - [20260520] - Inadequate content filterin - CVE-2026-25901
Joomla! Core - [20260502] - XSS in com_associations - CVE-2026-25900
Joomla! Core - [20260501] - XSS in feed modules
V. Comments for CVE-2023-41895
No comments yet