2 matches found
CVE-2023-41895 Cross-site Scripting via auth_callback login in Home Assistant Core
Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the redirecturi and clientid parameters. Although the redirecturi validation typically ensures that it matches th...
CVE-2023-41895
CVE-2023-41895 affects Home Assistant Core. The issue is a cross-site scripting (XSS) vulnerability on the login/redirect flow: the frontend fetches the client_id and checks for tags, but those URLs are not subject to the same scheme validation, allowing arbitrary javascript: URIs to execute on ...