5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.0005 Low
EPSS
Percentile
17.0%
homeassistant is vulnerable to Authentication Bypass. The vulnerability is caused by an attacker triggering a webhook that are marked as only accessible from the local network, even when the attacker is not connected to the local network. The attacker could exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable Home Assistant instance. The request would cause the Home Assistant instance to trigger the webhook, even if the webhook is marked as only accessible from the local network which could allow the attacker to execute arbitrary code on the Home Assistant instance or steal data from the user’s local network.
CPE | Name | Operator | Version |
---|---|---|---|
homeassistant | le | 2022.9.0b4 | |
homeassistant | le | 2022.9.0b4 |