CVE-2023-41897

Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Configurations

Configuration 1 (hide)

cpe:2.3:a:home-assistant:home-assistant:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:21

Type Values Removed Values Added
References () https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw - Vendor Advisory () https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw - Vendor Advisory
References () https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q - Not Applicable () https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q - Not Applicable
References () https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/ - Vendor Advisory () https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/ - Vendor Advisory
CVSS v2 : unknown
v3 : 9.6
v2 : unknown
v3 : 8.8

26 Oct 2023, 16:16

Type Values Removed Values Added
CWE CWE-1021
References (MISC) https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw - (MISC) https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw - Vendor Advisory
References (MISC) https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/ - (MISC) https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/ - Vendor Advisory
References (MISC) https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q - (MISC) https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q - Not Applicable
CPE cpe:2.3:a:home-assistant:home-assistant:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.6
First Time Home-assistant
Home-assistant home-assistant

19 Oct 2023, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-19 23:15

Updated : 2024-11-21 08:21


NVD link : CVE-2023-41897

Mitre link : CVE-2023-41897

CVE.ORG link : CVE-2023-41897


JSON object : View

Products Affected

home-assistant

  • home-assistant
CWE
CWE-1021

Improper Restriction of Rendered UI Layers or Frames