CVE-2024-42467

Name of the Vulnerable Software and Affected Versions openHAB's CometVisu add-on versions prior to 4.2.1

Description The proxy endpoint of openHAB's CometVisu add-on can be accessed without authentication, allowing for Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS) vulnerabilities. This can lead to the execution of malicious JavaScript code, potentially allowing an attacker to exploit call endpoints on an openHAB server, even if it is located in a private network. The issue may also lead to Remote Code Execution (RCE) when chained with other vulnerabilities.

Recommendations For openHAB's CometVisu add-on versions prior to 4.2.1, upgrade to version 4.2.1 to receive a patch. As a temporary workaround, consider restricting access to the proxy endpoint to minimize the risk of exploitation. Avoid using the proxy feature until the issue is resolved.