Lucene search

PRIOn knowledge basePRION:CVE-2023-41897

HistoryOct 19, 2023 - 11:15 p.m.

Remote code execution

2023-10-1923:15:00

PRIOn knowledge base

www.prio-n.com

home automation

clickjacking

exploit opportunity

security advisory

version 2023.9.0

upgrade

9.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.5%

JSON

Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CPENameOperatorVersion
home-assistantlt2023.9.0

CPE	Name	Operator	Version
	home-assistant	lt	2023.9.0

References

github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw

github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q

www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/