CVE-2023-41897

Name of the Vulnerable Software and Affected Versions Home Assistant versions prior to 2023.9.0

Description The issue concerns the omission of HTTP security headers, including the X-Frame-Options header, in Home Assistant server. This omission facilitates covert clickjacking attacks and other exploit opportunities, allowing attackers to trick users into installing malicious add-ons with minimal interaction. This could enable Remote Code Execution (RCE) within the Home Assistant application.

Recommendations For versions prior to 2023.9.0, upgrade to version 2023.9.0 to address the issue. As a temporary workaround, consider restricting access to the Home Assistant web interface to minimize the risk of exploitation. Avoid using the web interface until the issue is resolved.