CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
EPSS
Percentile
20.2%
homeassistant is vulnerable due to Broken Authentication. An attacker could exploit this vulnerability by tricking a user into clicking on a malicious link. The link would direct the user to a malicious website that would initiate the OAuth2 login process with a specially crafted redirect URI. If the user authenticates, the malicious website would receive the user’s access token, which could then be used to access the user’s Home Assistant instance.