Lucene search

Veracode Vulnerability DatabaseVERACODE:45796

HistoryMar 07, 2024 - 9:38 a.m.

Cross Site Scripting(XSS)

2024-03-0709:38:09

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross site scripting

api

esphome

remote

injection

vulnerability

web scripts

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

6.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

esphome is vulnerable to Cross-Site Scripting (XSS). The vulnerability is due to unsanitized data being served with Content-Type: text/html; charset=UTF-8 in the API dashboard through Edit configuration file API. It allows a remote authenticated user to inject arbitrary web scripts and potentially execute malicious actions by exploiting the Cross-Site Scripting (XSS).

CPENameOperatorVersion
esphomele2024.2.1
esphomele2024.2.1

CPE	Name	Operator	Version
	esphome	le	2024.2.1
	esphome	le	2024.2.1

References

github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455

github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

6.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for VERACODE:45796