Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) home-assistant-js-websocket is a Home Assistant websocket client Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `state` parameter in the WebSocket authentication logic. An attacker can spoof WebSocket responses and execute this vulnerability by crafting a malicious link with a modified `state` parameter that redirects the frontend to an alternative WebSocket backend. This is only exploitable if the attacker can persuade the victim to click on a malicious link. Additionally, the ability to iframe the site from other origins can make the attack more covert, as a malicious website could hide the attack in the background How to fix Cross-site Scripting (XSS)? Upgrade `home-assistant-js-websocket` to version 8.2.0 or higher.	<8.2.0

Cross-site Scripting (XSS)

home-assistant-js-websocket is a Home Assistant websocket client

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the state parameter in the WebSocket authentication logic. An attacker can spoof WebSocket responses and execute this vulnerability by crafting a malicious link with a modified state parameter that redirects the frontend to an alternative WebSocket backend. This is only exploitable if the attacker can persuade the victim to click on a malicious link. Additionally, the ability to iframe the site from other origins can make the attack more covert, as a malicious website could hide the attack in the background

How to fix Cross-site Scripting (XSS)?

Upgrade home-assistant-js-websocket to version 8.2.0 or higher.

<8.2.0

Go back to all versions of this package