4 matches found
CVE-2023-41896
Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected authcallback=1, which is leveraged by the WebSocket authentication logic in tandem with the state parameter. The state parameter contains the hassUrl, which is...
CVE-2023-41896 Fake websocket server installation permits full takeover in Home Assistant Core
Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected authcallback=1, which is leveraged by the WebSocket authentication logic in tandem with the state parameter. The state parameter contains the hassUrl, which is...
CVE-2023-41896 Fake websocket server installation permits full takeover in Home Assistant Core
Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected authcallback=1, which is leveraged by the WebSocket authentication logic in tandem with the state parameter. The state parameter contains the hassUrl, which is...
CVE-2023-41896
CVE-2023-41896 affects Home Assistant Core and the home-assistant-js-websocket package. Cure53’s audit found that the frontend WebSocket authentication flow can be manipulated via an auth_callback=1 flag and a state parameter containing hassUrl, causing the frontend to connect to an attacker-cont...