Vulnerability Description
The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this security advisory, may result in full compromise and remote code execution (RCE). Version 2023.7 addresses this issue and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-161.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Home-Assistant | Home Assistant Companion | < 2023.7 |
Related Weaknesses (CWE)
References
- https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xppVendor Advisory
- https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xppVendor Advisory
FAQ
What is CVE-2023-44385?
CVE-2023-44385 is a vulnerability with a CVSS score of 8.6 (HIGH). The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make t...
How severe is CVE-2023-44385?
CVE-2023-44385 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-44385?
Check the references section above for vendor advisories and patch information. Affected products include: Home-Assistant Home Assistant Companion.