CVE-2023-44385
published 2023-10-19CVE-2023-44385: The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs…
PriorityP350high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.28%
20.1th percentile
The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this security advisory, may result in full compromise and remote code execution (RCE). Version 2023.7 addresses this issue and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-161.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| home-assistant | core | < 2023.7 | 2023.7 |
| home-assistant | home_assistant_companion | < 2023.7 | 2023.7 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-10-19
Published