CVE-2023-44385— Client-Side Request Forgery in Home Assistant iOS/macOS native Apps
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-44385
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Client-Side Request Forgery in Home Assistant iOS/macOS native Apps
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this security advisory, may result in full compromise and remote code execution (RCE). Version 2023.7 addresses this issue and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-161.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨站请求伪造(CSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Home Assistant Companion 跨站请求伪造漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Home Assistant是一套开源的家庭自动化管理系统。该系统主要用于控制家庭自动化设备。 Home Assistant Companion 2023.7之前版本存在安全漏洞,该漏洞源于存在客户端请求伪造漏洞。攻击者可利用该漏洞向受害者发送恶意/QR链接以调用任意服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| home-assistant | core | < 2023.7 | - |
II. Public POCs for CVE-2023-44385
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-44385
请登录查看更多情报信息。
Same Patch Batch · home-assistant · 2023-10-19 · 8 CVEs total
| CVE-2023-41897 | 8.8 HIGH | Lack of XFO header allows clickjacking in Home Assistant Core |
| CVE-2023-41895 | 8.8 HIGH | Cross-site Scripting via auth_callback login in Home Assistant Core |
| CVE-2023-41898 | 8.6 HIGH | Arbitrary URL load in Android WebView in `MyActivity.kt` in Home Assistant Companion for |
| CVE-2023-41896 | 7.1 HIGH | Fake websocket server installation permits full takeover in Home Assistant Core |
| CVE-2023-41899 | 6.6 MEDIUM | Partial Server-Side Request Forgery in Home Assistant Core |
| CVE-2023-41894 | 5.3 MEDIUM | Local-only webhooks externally accessible via SniTun in Home Assistant Core |
| CVE-2023-41893 | 4.3 MEDIUM | Account takeover via auth_callback login in Home Assistant Core |
IV. Related Vulnerabilities
Same product: core
- CVE-2026-42278
UltraDAG: Smart Account Spending Policy Bypass via Pockets - CVE-2026-40583
UltraDAG: SmartOp Vote Path Triggers Fatal Supply Invariant - CVE-2026-34578
OPNsense has an LDAP Injection via Unsanitized Username in A - CVE-2026-34762
Ella Core Has Audit Log Falsification via Path/Body IMSI Mis - CVE-2026-34761
Ella Core Panics Upon NGAP handover failure
Same vendor: home-assistant
- CVE-2026-34205
Home Assistant: Unauthenticated App (Add-on) Endpoints Expos - CVE-2026-33045
Home Assistant has stored XSS in history-graphs - CVE-2026-33044
Home Assistant has stored XSS in Map-card through malicious - CVE-2025-62172
Home Assistant vulnerable to Stored XSS in Energy dashboard - CVE-2025-25305
SSL validation for outgoing requests in Home Assistant Core
Same weakness: CWE-352
- CVE-2021-47953
OpenCart 3.0.3.7 Cross-Site Request Forgery via account/pass - CVE-2021-47946
OpenCart 3.0.36 Account Takeover via Cross Site Request Forg - CVE-2022-50955
WordPress Plugin Curtain 1.0.2 Cross-site Request Forgery - CVE-2026-8194
osTicket Dispatcher class.dispatcher.php cross-site request - CVE-2026-42286
Emlog: Cross-Site Request Forgery in Admin Functions
V. Comments for CVE-2023-44385
No comments yet