CVE-2023-41896

Name of the Vulnerable Software and Affected Versions Home Assistant Core versions prior to 2023.8.0 home-assistant-js-websocket versions prior to 8.2.0

Description The issue concerns an open-source home automation system where the WebSocket authentication logic is vulnerable to exploitation. Specifically, the auth callback=1 parameter, in conjunction with the state parameter containing the hassUrl, allows an attacker to create a malicious link that forces the frontend to connect to an alternative WebSocket backend. This enables the attacker to spoof WebSocket responses and trigger cross-site scripting (XSS), potentially leading to a comprehensive takeover scenario. The fact that the site can be iframed by other origins makes the exploit more covert. The audit team found that despite reasonable security hardening, the js url for custom panels could be exploited.

Recommendations For Home Assistant Core versions prior to 2023.8.0, upgrade to version 2023.8.0 or later. For home-assistant-js-websocket versions prior to 8.2.0, upgrade to version 8.2.0 or later. As a temporary workaround, consider modifying the WebSocket code’s authentication flow to not trust the hassUrl passed in by a GET parameter. However, the best course of action is to upgrade to the fixed versions.