CVE-2024-27287

Name of the Vulnerable Software and Affected Versions ESPHome versions 2023.12.9 through 2024.2.2

Description The issue allows a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. A malicious authenticated user can inject arbitrary Javascript in configuration files using a POST request to the "/edit" endpoint, with the configuration parameter allowing specification of the file to write. To trigger the vulnerability, the victim must visit the page "/edit?configuration=[xss file]". This could allow a malicious actor to perform operations on the dashboard on behalf of a logged user, access sensitive information, create, edit, and delete configuration files, and flash firmware on managed boards. Additionally, cookies are not correctly secured, allowing the exfiltration of session cookie values.

Recommendations For ESPHome versions 2023.12.9 through 2024.2.2, update to version 2024.2.2 or later, which contains a patch for this issue. As a temporary workaround, consider restricting access to the "/edit" endpoint to minimize the risk of exploitation. Avoid using the configuration parameter in the affected API endpoint until the issue is resolved.