Highjesserockz

**Name of the Vulnerable Software and Affected Versions** ESPHome versions 2023.12.9 through 2024.2.x ESPHome version 2023.12.9 **Description** The dashboard component of ESPHome contains API endpoints that are vulnerable to Cross-Site Request Forgery (CSRF), allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files, such as create, edit, and delete. A malicious actor can create a specifically crafted web page that triggers a cross-site request against ESPHome, bypassing the authentication for API calls on the platform. This issue can be chained with another vulnerability to obtain a complete takeover of the user account. The victim must visit a weaponized page to trigger the vulnerability. **Recommendations** For ESPHome version 2023.12.9, update to version 2024.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the dashboard component to minimize the risk of exploitation. Avoid using the dashboard component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ESPHome versions 2023.12.9 through 2024.2.0 **Description** A security misconfiguration in the edit configuration file API in the dashboard component of ESPHome allows authenticated remote attackers to read and write arbitrary files under the configuration directory, rendering remote code execution possible. This issue gives read and write access to files under the configuration directory and allows malicious users to write arbitrary code in python scripts executed during the compilation and flashing of firmwares for ESP boards. It also allows accessing sensitive information such as esphome.json and board firmware source code, enabling a user to modify the board firmware and leak secrets such as WiFi network credentials, fallback hotspot WiFi credentials, OTA component authentication password, and API encryption key. **Recommendations** For ESPHome version 2023.12.9, update to version 2024.2.1 to resolve the issue. As a temporary workaround, consider restricting access to the configuration directory to minimize the risk of exploitation. Avoid using the `configuration` parameter in the `/edit` API endpoint until the issue is resolved.