Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-19T23:23:17.909Z

Updated: 2024-09-12T15:03:41.114Z

Reserved: 2023-09-04T16:31:48.225Z

Link: CVE-2023-41894

cve-icon Vulnrichment

Updated: 2024-08-02T19:09:49.255Z

cve-icon NVD

Status : Modified

Published: 2023-10-20T00:15:16.093

Modified: 2024-11-21T08:21:52.340

Link: CVE-2023-41894

cve-icon Redhat

No data.