homeassistant@2023.8.1 vulnerabilities

Open-source home automation platform running on Python 3.

latest version

2024.11.3
latest non vulnerable version

2024.12.0b2
first published

9 years ago
latest version published

7 days ago
licenses detected
- Apache-2.0
  [0.37.0,)
View homeassistant package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the homeassistant package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Cross-site Request Forgery (CSRF) Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to missing `X-Frame-Options` headers. An attacker may trick users into installing an malicious add-ons or perform other unintended actions by exploiting frame functionality. How to fix Cross-site Request Forgery (CSRF)? Upgrade `homeassistant` to version 2023.9.0b0 or higher.	[,2023.9.0b0)
C Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the login page, which accepts redirect URIs using the `javascript:` scheme within `<link rel="redirect_uri" href="...">` tags on a requested page. An attacker can achieve full account takeover by exploiting this vector. How to fix Cross-site Scripting (XSS)? Upgrade `homeassistant` to version 2023.9.0 or higher.	[,2023.9.0)
M Access Restriction Bypass Affected versions of this package are vulnerable to Access Restriction Bypass by exposing local_only webhooks to the SniTun proxy via `*.ui.nabu.casa` URLs, even when the webhook is marked as "Only accessible from the local network". How to fix Access Restriction Bypass? Upgrade `homeassistant` to version 2023.9.0b0 or higher.	[,2023.9.0b0)
M Server-side Request Forgery (SSRF) Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through 'hassio.addon_stdin', where an attacker capable of calling this service may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control the data dictionary, including its addon and input key/values. How to fix Server-side Request Forgery (SSRF)? Upgrade `homeassistant` to version 2023.9.0 or higher.	[,2023.9.0)
M Information Exposure Affected versions of this package are vulnerable to Information Exposure due to an issue with the login page, which discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. This could potentially allow an unauthorized actor to gain knowledge of all user accounts on the system. Notes: This applies to the local subnet where Home Assistant resides and to any private subnet that can reach it. How to fix Information Exposure? Upgrade `homeassistant` to version 2023.12.3 or higher.	[,2023.12.3)
M Information Exposure Through Sent Data Affected versions of this package are vulnerable to Information Exposure Through Sent Data via the `redirect_uri` and `client_id` parameters. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Note: This is only exploitable if the victim's Home Assistant is exposed to the Internet and the victim authenticates via a link sent by the attacker. How to fix Information Exposure Through Sent Data? Upgrade `homeassistant` to version 2023.9.0 or higher.	[,2023.9.0)

Go back to all versions of this package

homeassistant@2023.8.1 vulnerabilities

Open-source home automation platform running on Python 3.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities