Listen to this Post
The vulnerability is a stored Cross-Site Scripting (XSS) within the Home Assistant Energy Dashboard. It originates from the `friendly_name` attribute of an entity, such as one provided by the Tibber energy integration. This user-controlled or provider-controlled input is not properly sanitized before being rendered. The vulnerable code path flows from the `computeStateName` function, which retrieves the entity’s name, to the `getStatisticLabel` function, and finally to the graph card’s tooltip generation. Specifically, in the `hui-energy-devices-graph-card.ts` file, the `params.seriesName` variable, which contains the unsanitized entity name, is directly concatenated into a HTML string using a template literal. This string is then set as the `innerHTML` property of the tooltip, allowing any embedded JavaScript to be executed when a user hovers over a data point on the dashboard.
Platform: Home Assistant
Version: Pre-2023.9.0
Vulnerability: Stored XSS
Severity: Critical
date: 2023-08-31
Prediction: 2023-09-06
What Undercode Say:
grep -r "seriesName" src/panels/lovelace/cards/energy/
// Vulnerable code in hui-energy-devices-graph-card.ts
return <code>${}${params.marker} ${params.seriesName}: ${value}</code>;
// Source of the seriesName value name: type in labels ? labels[bash] : getStatisticLabel(this.hass, statId, statisticsMetaData[bash]),
How Exploit:
1. Create energy entity.
2. Set malicious name.
3. Victim hovers graph.
Protection from this CVE:
Update to 2023.9.0.
Sanitize entity names.
Escape tooltip content.
Impact:
Arbitrary script execution.
Session hijacking.
Privilege escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
