Cross Site Scripting (XSS)

home-assistant/core and home-assistant-js-websocket are vulnerable to XSS attack.The vulnerability occurs due to a loophole in Websocket authentication logic. The logic utilises a state parameter which contains hassurl. This mechanism enables attackers to spoof websocket responses and trigger XSS...