CVE-2023-41898— Arbitrary URL load in Android WebView in `MyActivity.kt` in Home Assistant Companion for Android
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-41898
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Arbitrary URL load in Android WebView in `MyActivity.kt` in Home Assistant Companion for Android
Source: NVD (National Vulnerability Database)
Vulnerability Description
Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-142`.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对数据真实性的验证不充分
Source: NVD (National Vulnerability Database)
Vulnerability Title
Home Assistant 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Home Assistant是一套开源的家庭自动化管理系统。该系统主要用于控制家庭自动化设备。 Home Assistant 2023.9.2之前版本存在安全漏洞,该漏洞源于WebView中存在任意URL加载问题。攻击者可利用该漏洞进行任意JavaScript执行、有限的本地代码执行和凭据盗窃等操作。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| home-assistant | core | < 2023.9.2 | - |
II. Public POCs for CVE-2023-41898
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-41898
请登录查看更多情报信息。
Same Patch Batch · home-assistant · 2023-10-19 · 8 CVEs total
| CVE-2023-41897 | 8.8 HIGH | Lack of XFO header allows clickjacking in Home Assistant Core |
| CVE-2023-41895 | 8.8 HIGH | Cross-site Scripting via auth_callback login in Home Assistant Core |
| CVE-2023-44385 | 8.6 HIGH | Client-Side Request Forgery in Home Assistant iOS/macOS native Apps |
| CVE-2023-41896 | 7.1 HIGH | Fake websocket server installation permits full takeover in Home Assistant Core |
| CVE-2023-41899 | 6.6 MEDIUM | Partial Server-Side Request Forgery in Home Assistant Core |
| CVE-2023-41894 | 5.3 MEDIUM | Local-only webhooks externally accessible via SniTun in Home Assistant Core |
| CVE-2023-41893 | 4.3 MEDIUM | Account takeover via auth_callback login in Home Assistant Core |
IV. Related Vulnerabilities
Same product: core
- CVE-2026-42278
UltraDAG: Smart Account Spending Policy Bypass via Pockets - CVE-2026-40583
UltraDAG: SmartOp Vote Path Triggers Fatal Supply Invariant - CVE-2026-34578
OPNsense has an LDAP Injection via Unsanitized Username in A - CVE-2026-34762
Ella Core Has Audit Log Falsification via Path/Body IMSI Mis - CVE-2026-34761
Ella Core Panics Upon NGAP handover failure
Same vendor: home-assistant
- CVE-2026-34205
Home Assistant: Unauthenticated App (Add-on) Endpoints Expos - CVE-2026-33045
Home Assistant has stored XSS in history-graphs - CVE-2026-33044
Home Assistant has stored XSS in Map-card through malicious - CVE-2025-62172
Home Assistant vulnerable to Stored XSS in Energy dashboard - CVE-2025-25305
SSL validation for outgoing requests in Home Assistant Core
Same weakness: CWE-345
- CVE-2026-42575
apko doesn't verify downloaded apk packages against APKINDEX - CVE-2026-41432
New API: Stripe Webhook Signature Bypass via Empty Secret En - CVE-2026-42206
Roadiz OpenID Connect nonce generated but never validated — - CVE-2026-31835
Vaultwarden WebAuthn credential metadata tampered before sig - CVE-2026-43534
OpenClaw < 2026.4.10 - Unsanitized External Input in Agent H
V. Comments for CVE-2023-41898
No comments yet