PT-2023-28154 · Home Assistant · Home Assistant Companion For Android

Atorralba

Publicado

2023-10-19

Atualizado

2023-10-26

CVE-2023-41898

CVSS v3.1

8.6

Alta

Vetor

AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Home Assistant Companion for Android app versions 2023.8.2 and earlier

Description The Home Assistant Companion for Android app is vulnerable to arbitrary URL loading in a WebView, enabling attacks such as arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2.

Recommendations For versions 2023.8.2 and earlier, upgrade to version 2023.9.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the WebView component until a patch is applied. There are no known workarounds for this vulnerability.

Exploit

Correção

Code Injection

Insufficient Verification of Data Authenticity

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-94CWE-345

Identificadores relacionados

CVE-2023-41898

GHSA-JVPM-Q3HQ-86RG

Produtos afetados

Home Assistant Companion For Android

PT-2023-28154 · Home Assistant · Home Assistant Companion For Android

CVE-2023-41898

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7