CVE-2023-41897
Summary
| CVE | CVE-2023-41897 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-10-19 23:15:00 UTC |
| Updated | 2023-10-26 16:16:00 UTC |
| Description | Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. |
Risk And Classification
Problem Types: CWE-1021
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Home-assistant | Home-assistant | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Fake WS server installation permits full takeover · Advisory · home-assistant/core · GitHub | MISC | github.com | |
| Lack of XFO header allows clickjacking · Advisory · home-assistant/core · GitHub | MISC | github.com | |
| Security audits of Home Assistant - Home Assistant | MISC | www.home-assistant.io | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.