CVE-2024-29019

Name of the Vulnerable Software and Affected Versions ESPHome versions 2023.12.9 through 2024.2.x ESPHome version 2023.12.9

Description The dashboard component of ESPHome contains API endpoints that are vulnerable to Cross-Site Request Forgery (CSRF), allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files, such as create, edit, and delete. A malicious actor can create a specifically crafted web page that triggers a cross-site request against ESPHome, bypassing the authentication for API calls on the platform. This issue can be chained with another vulnerability to obtain a complete takeover of the user account. The victim must visit a weaponized page to trigger the vulnerability.

Recommendations For ESPHome version 2023.12.9, update to version 2024.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the dashboard component to minimize the risk of exploitation. Avoid using the dashboard component until the issue is resolved.