Jesserockz

**Name of the Vulnerable Software and Affected Versions** ESPHome versions 2023.12.9 through 2024.2.2 **Description** The issue allows a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. A malicious authenticated user can inject arbitrary Javascript in configuration files using a POST request to the "/edit" endpoint, with the configuration parameter allowing specification of the file to write. To trigger the vulnerability, the victim must visit the page "/edit?configuration=[xss file]". This could allow a malicious actor to perform operations on the dashboard on behalf of a logged user, access sensitive information, create, edit, and delete configuration files, and flash firmware on managed boards. Additionally, cookies are not correctly secured, allowing the exfiltration of session cookie values. **Recommendations** For ESPHome versions 2023.12.9 through 2024.2.2, update to version 2024.2.2 or later, which contains a patch for this issue. As a temporary workaround, consider restricting access to the "/edit" endpoint to minimize the risk of exploitation. Avoid using the configuration parameter in the affected API endpoint until the issue is resolved.