CVE-2024-27287 (GCVE-0-2024-27287)
Vulnerability from cvelistv5
Published
2024-03-06 18:19
Modified
2024-08-26 14:04
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with `Content-Type: text/html; charset=UTF-8`, allowing a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS vulnerability, the victim must visit the page` /edit?configuration=[xss file]`. Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards. In addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values. Version 2024.2.2 contains a patch for this issue.
References
Impacted products
Vendor Product Version
esphome esphome Version: >= 2023.12.9, < 2024.2.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:27:59.920Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5"
          },
          {
            "name": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:esphome:esphome:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "esphome",
            "vendor": "esphome",
            "versions": [
              {
                "lessThan": "2024.2.2",
                "status": "affected",
                "version": "2023.12.9",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-27287",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-06T20:30:07.008805Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-26T14:04:49.512Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "esphome",
          "vendor": "esphome",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2023.12.9, \u003c 2024.2.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with `Content-Type: text/html; charset=UTF-8`, allowing a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS vulnerability, the victim must visit the page` /edit?configuration=[xss file]`. Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards.\nIn addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values. Version 2024.2.2 contains a patch for this issue.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-06T18:19:48.117Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5"
        },
        {
          "name": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455"
        }
      ],
      "source": {
        "advisory": "GHSA-9p43-hj5j-96h5",
        "discovery": "UNKNOWN"
      },
      "title": "ESPHome vulnerable to stored Cross-site Scripting in edit configuration file API"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-27287",
    "datePublished": "2024-03-06T18:19:48.117Z",
    "dateReserved": "2024-02-22T18:08:38.873Z",
    "dateUpdated": "2024-08-26T14:04:49.512Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-27287\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-06T19:15:07.723\",\"lastModified\":\"2024-11-21T09:04:15.180\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with `Content-Type: text/html; charset=UTF-8`, allowing a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS vulnerability, the victim must visit the page` /edit?configuration=[xss file]`. Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards.\\nIn addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values. Version 2024.2.2 contains a patch for this issue.\\n\"},{\"lang\":\"es\",\"value\":\"ESPHome es un sistema para controlar su ESP8266/ESP32 para sistemas de dom\u00f3tica. A partir de la versi\u00f3n 2023.12.9 y antes de la versi\u00f3n 2024.2.2, la edici\u00f3n del archivo de configuraci\u00f3n API en el componente del panel de ESPHome versi\u00f3n 2023.12.9 (instalaci\u00f3n de l\u00ednea de comando y complemento Home Assistant) proporciona datos no desinfectados con `Tipo de contenido: texto/ HTML; charset=UTF-8`, lo que permite a un usuario autenticado remoto inyectar secuencias de comandos web arbitrarias y extraer cookies de sesi\u00f3n mediante secuencias de comandos entre sitios. Es posible que un usuario autenticado malicioso inyecte Javascript arbitrario en archivos de configuraci\u00f3n mediante una solicitud POST al punto final /edit; el par\u00e1metro de configuraci\u00f3n permite especificar el archivo a escribir. Para activar la vulnerabilidad XSS, la v\u00edctima debe visitar la p\u00e1gina ` /edit?configuration=[archivo xss]`. Al abusar de esta vulnerabilidad, un actor malintencionado podr\u00eda realizar operaciones en el tablero en nombre de un usuario registrado, acceder a informaci\u00f3n confidencial, crear, editar y eliminar archivos de configuraci\u00f3n y actualizar firmware en tableros administrados. Adem\u00e1s de esto, las cookies no est\u00e1n protegidas correctamente, lo que permite la filtraci\u00f3n de los valores de las cookies de sesi\u00f3n. La versi\u00f3n 2024.2.2 contiene un parche para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5\", \"name\": \"https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455\", \"name\": \"https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:27:59.920Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-27287\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-06T20:30:07.008805Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:esphome:esphome:*:*:*:*:*:*:*:*\"], \"vendor\": \"esphome\", \"product\": \"esphome\", \"versions\": [{\"status\": \"affected\", \"version\": \"2023.12.9\", \"lessThan\": \"2024.2.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-26T14:04:45.642Z\"}}], \"cna\": {\"title\": \"ESPHome vulnerable to stored Cross-site Scripting in edit configuration file API\", \"source\": {\"advisory\": \"GHSA-9p43-hj5j-96h5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"esphome\", \"product\": \"esphome\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2023.12.9, \u003c 2024.2.2\"}]}], \"references\": [{\"url\": \"https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5\", \"name\": \"https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455\", \"name\": \"https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with `Content-Type: text/html; charset=UTF-8`, allowing a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS vulnerability, the victim must visit the page` /edit?configuration=[xss file]`. Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards.\\nIn addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values. Version 2024.2.2 contains a patch for this issue.\\n\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-06T18:19:48.117Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-27287\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-26T14:04:49.512Z\", \"dateReserved\": \"2024-02-22T18:08:38.873Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-06T18:19:48.117Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.