Frenck

**Name of the Vulnerable Software and Affected Versions** Home Assistant versions prior to 2023.9.0 **Description** The issue concerns the alterability of the `redirect uri` and `client id` when logging in to Home Assistant, an open-source home automation system. This allows an attacker to manipulate a user and retrieve account access by sending a link with a controlled `redirect uri` to the victim's Home Assistant instance. If the victim authenticates via this link, the attacker can obtain the code sent to the specified URL in `redirect uri` and leverage it to fetch an `access token`. The attack strategy is plausible if the victim has exposed their Home Assistant to the Internet. An attacker could increase the efficacy of this strategy by registering a nearly identical domain to `homeassistant.local`, which may appear legitimate and obfuscate malicious intentions. **Recommendations** To resolve the issue, upgrade to version 2023.9.0 or later. As a temporary workaround, consider restricting access to the `redirect uri` parameter to minimize the risk of exploitation. Avoid using the `redirect uri` parameter in the affected login endpoint until the issue is resolved. Restrict access to the Home Assistant instance from the Internet to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Home Assistant versions prior to 2023.9.0 **Description** The issue affects Home Assistant, an open-source home automation system. Webhooks in the webhook component can be triggered via the `*.ui.nabu.casa` URL without authentication, even when marked as only accessible from the local network. This is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. **Recommendations** For versions prior to 2023.9.0, upgrade to version 2023.9.0 to address the issue. As a temporary workaround, consider restricting access to the webhook component until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Home Assistant versions prior to 2023.9.0 **Description** The Home Assistant login page is affected by a Cross-site Scripting (XSS) issue. This occurs because the `redirect uri` validation does not properly check the scheme of URLs, allowing for arbitrary JavaScript execution on the Home Assistant administration page via the use of `javascript:` scheme URIs. This can be exploited for a full takeover of the Home Assistant account and installation. The issue is related to the `redirect uri` and `client id` parameters, and the lack of scheme validation for URLs specified in `<link rel="redirect uri" href="...">` HTML tags. **Recommendations** For versions prior to 2023.9.0, upgrade to version 2023.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the login page or disabling the use of external `redirect uri` parameters until the upgrade can be applied. Avoid using the `redirect uri` parameter with untrusted websites to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Home Assistant Core versions prior to 2023.8.0 home-assistant-js-websocket versions prior to 8.2.0 **Description** The issue concerns an open-source home automation system where the WebSocket authentication logic is vulnerable to exploitation. Specifically, the `auth callback=1` parameter, in conjunction with the `state` parameter containing the `hassUrl`, allows an attacker to create a malicious link that forces the frontend to connect to an alternative WebSocket backend. This enables the attacker to spoof WebSocket responses and trigger cross-site scripting (XSS), potentially leading to a comprehensive takeover scenario. The fact that the site can be iframed by other origins makes the exploit more covert. The audit team found that despite reasonable security hardening, the `js url` for custom panels could be exploited. **Recommendations** For Home Assistant Core versions prior to 2023.8.0, upgrade to version 2023.8.0 or later. For home-assistant-js-websocket versions prior to 8.2.0, upgrade to version 8.2.0 or later. As a temporary workaround, consider modifying the WebSocket code’s authentication flow to not trust the `hassUrl` passed in by a GET parameter. However, the best course of action is to upgrade to the fixed versions.

**Name of the Vulnerable Software and Affected Versions** Home Assistant versions prior to 2023.9.0 **Description** The issue concerns the omission of HTTP security headers, including the X-Frame-Options header, in Home Assistant server. This omission facilitates covert clickjacking attacks and other exploit opportunities, allowing attackers to trick users into installing malicious add-ons with minimal interaction. This could enable Remote Code Execution (RCE) within the Home Assistant application. **Recommendations** For versions prior to 2023.9.0, upgrade to version 2023.9.0 to address the issue. As a temporary workaround, consider restricting access to the Home Assistant web interface to minimize the risk of exploitation. Avoid using the web interface until the issue is resolved.