Lucene search

GitHub_MCVELIST:CVE-2023-41898

HistoryOct 19, 2023 - 10:08 p.m.

CVE-2023-41898 Arbitrary URL load in Android WebView in `MyActivity.kt` in Home Assistant Companion for Android

2023-10-1922:08:40

CWE-94

CWE-345

GitHub_M

www.cve.org

cve-2023-41898

home assistant

webview

android

credential theft

patched

ghsl-2023-142

8.6 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

22.8%

JSON

Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-142.

CNA Affected

[
  {
    "vendor": "home-assistant",
    "product": "core",
    "versions": [
      {
        "version": "< 2023.9.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg

8.6 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

22.8%

JSON

Related for CVELIST:CVE-2023-41898