CVE-2023-41895

Name of the Vulnerable Software and Affected Versions Home Assistant versions prior to 2023.9.0

Description The Home Assistant login page is affected by a Cross-site Scripting (XSS) issue. This occurs because the redirect uri validation does not properly check the scheme of URLs, allowing for arbitrary JavaScript execution on the Home Assistant administration page via the use of javascript: scheme URIs. This can be exploited for a full takeover of the Home Assistant account and installation. The issue is related to the redirect uri and client id parameters, and the lack of scheme validation for URLs specified in <link rel="redirect uri" href="..."> HTML tags.

Recommendations For versions prior to 2023.9.0, upgrade to version 2023.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the login page or disabling the use of external redirect uri parameters until the upgrade can be applied. Avoid using the redirect uri parameter with untrusted websites to minimize the risk of exploitation.