Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-41897

Good to know:

icon

Date: October 19, 2023

Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Python

Severity Score

Related Resources (5)

https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q
https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/
https://nvd.nist.gov/vuln/detail/CVE-2023-41897
https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw
https://www.mend.io/vulnerability-database/CVE-2023-41897

Severity Score

Weakness Type (CWE)

Improper Restriction of Rendered UI Layers or Frames

CWE-1021

Top Fix

icon

Upgrade Version

Upgrade to version homeassistant - 2023.9.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us