CVE-2023-41896

Summary

CVE-2023-41896 is a vulnerability affecting Home Assistant, an open-source home automation system. During a code audit, Cure53 discovered that the frontend accepts a `hassUrl` parameter in the `state` query string of a WebSocket authentication request. Malicious actors can exploit this by creating a manipulated Home Assistant link with a modified `state` parameter, allowing them to establish a connection to a fake WebSocket backend and execute cross-site scripting (XSS) attacks. Since the XSS occurs on the actual Home Assistant frontend domain, attackers can gain comprehensive control over the system. This vulnerability can be exploited even if the site is not iframed by other origins, as an attacker can simply send the malicious link directly to the victim. To mitigate this issue, Home Assistant developers are advised to modify the WebSocket code's authentication flow and not trust the `hassUrl` passed through a GET parameter. The vulnerability was addressed in Home Assistant Core version 2023.8.0 and in the npm package home-assistant-js-websocket version 8.2.0. Users are encouraged to upgrade as soon as possible, and there are currently no known workarounds for this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.