Homepage
About Snyk

homeassistant@2023.2.0b8 vulnerabilities

Open-source home automation platform running on Python 3.

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the homeassistant package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to missing X-Frame-Options headers. An attacker may trick users into installing an malicious add-ons or perform other unintended actions by exploiting frame functionality.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade homeassistant to version 2023.9.0b0 or higher.

[,2023.9.0b0)
  • C
Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the login page, which accepts redirect URIs using the javascript: scheme within <link rel="redirect_uri" href="..."> tags on a requested page. An attacker can achieve full account takeover by exploiting this vector.

How to fix Cross-site Scripting (XSS)?

Upgrade homeassistant to version 2023.9.0 or higher.

[,2023.9.0)
  • M
Access Restriction Bypass

Affected versions of this package are vulnerable to Access Restriction Bypass by exposing local_only webhooks to the SniTun proxy via *.ui.nabu.casa URLs, even when the webhook is marked as "Only accessible from the local network".

How to fix Access Restriction Bypass?

Upgrade homeassistant to version 2023.9.0b0 or higher.

[,2023.9.0b0)
  • M
Server-side Request Forgery (SSRF)

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through 'hassio.addon_stdin', where an attacker capable of calling this service may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control the data dictionary, including its addon and input key/values.

How to fix Server-side Request Forgery (SSRF)?

Upgrade homeassistant to version 2023.9.0 or higher.

[,2023.9.0)
  • M
Information Exposure

Affected versions of this package are vulnerable to Information Exposure due to an issue with the login page, which discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. This could potentially allow an unauthorized actor to gain knowledge of all user accounts on the system.

Notes:

This applies to the local subnet where Home Assistant resides and to any private subnet that can reach it.

How to fix Information Exposure?

Upgrade homeassistant to version 2023.12.3 or higher.

[,2023.12.3)
  • M
Information Exposure Through Sent Data

Affected versions of this package are vulnerable to Information Exposure Through Sent Data via the redirect_uri and client_id parameters. Consequently, the code parameter utilized to fetch the access_token post-authentication will be sent to the URL specified in the aforementioned parameters.

Note: This is only exploitable if the victim's Home Assistant is exposed to the Internet and the victim authenticates via a link sent by the attacker.

How to fix Information Exposure Through Sent Data?

Upgrade homeassistant to version 2023.9.0 or higher.

[,2023.9.0)
  • M
Authentication Bypass

Affected versions of this package are vulnerable to Authentication Bypass which allows accessing the Supervisor API through Home Assistant has been discovered. This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older.

Note: Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment are not affected by this vulnerability.

How to fix Authentication Bypass?

Upgrade homeassistant to version 2023.3.0 or higher.

[,2023.3.0)
Go back to all versions of this package