homeassistant@2021.3.0b4 vulnerabilities
Open-source home automation platform running on Python 3.
-
latest version
2024.11.3
-
latest non vulnerable version
-
first published
9 years ago
-
latest version published
8 days ago
-
licenses detected
- [0.37.0,)
Direct Vulnerabilities
Known vulnerabilities in the homeassistant package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to missing How to fix Cross-site Request Forgery (CSRF)? Upgrade |
[,2023.9.0b0)
|
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the login page, which accepts redirect URIs using the How to fix Cross-site Scripting (XSS)? Upgrade |
[,2023.9.0)
|
Affected versions of this package are vulnerable to Access Restriction Bypass by exposing local_only webhooks to the SniTun proxy via How to fix Access Restriction Bypass? Upgrade |
[,2023.9.0b0)
|
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through 'hassio.addon_stdin', where an attacker capable of calling this service may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control the data dictionary, including its addon and input key/values. How to fix Server-side Request Forgery (SSRF)? Upgrade |
[,2023.9.0)
|
Affected versions of this package are vulnerable to Information Exposure due to an issue with the login page, which discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. This could potentially allow an unauthorized actor to gain knowledge of all user accounts on the system. Notes: This applies to the local subnet where Home Assistant resides and to any private subnet that can reach it. How to fix Information Exposure? Upgrade |
[,2023.12.3)
|
Affected versions of this package are vulnerable to Information Exposure Through Sent Data via the Note: This is only exploitable if the victim's Home Assistant is exposed to the Internet and the victim authenticates via a link sent by the attacker. How to fix Information Exposure Through Sent Data? Upgrade |
[,2023.9.0)
|
Affected versions of this package are vulnerable to Authentication Bypass which allows accessing the Supervisor API through Home Assistant has been discovered. This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Note: Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment are not affected by this vulnerability. How to fix Authentication Bypass? Upgrade |
[,2023.3.0)
|