CVE-2023-41897
published 2023-10-19CVE-2023-41897: Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which…
PriorityP354critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.95%
56.8th percentile
Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| home-assistant | core | < 2023.9.0 | 2023.9.0 |
| home-assistant | home-assistant | < 2023.9.0 | 2023.9.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mwhttps://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5qhttps://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mwhttps://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5qhttps://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/
2023-10-19
Published