CVE-2023-41893: 
Python vulnerability analysis and mitigation

Home Assistant, an open source home automation software, was found to contain a vulnerability (CVE-2023-41893) where the redirect_uri and client_id parameters could be manipulated during login. The vulnerability was discovered during a Cure53 security audit and disclosed on October 19, 2023. This issue affects all versions of Home Assistant prior to 2023.9.0 (Vendor Advisory, GitHub Advisory).

The vulnerability allows manipulation of the redirect_uri and client_id parameters during authentication, causing the code parameter used to fetch the access_token to be sent to an attacker-specified URL. The CVSS v3.1 base score is 5.4 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (NVD).

An attacker could potentially gain unauthorized access to a victim's Home Assistant instance by obtaining their access token. This attack is only possible if the victim's Home Assistant instance is exposed to the Internet and requires user interaction. The attacker could increase the effectiveness of this attack by registering a domain similar to homeassistant.local to appear legitimate (GitHub Advisory).

This vulnerability has been patched in Home Assistant version 2023.9.0. All users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability (GitHub Advisory).

The vulnerability was discovered during a security audit conducted by Cure53, a well-known cybersecurity firm. According to their report, while this issue was identified, they noted that the overall quality of the Home Assistant codebase was impressive, with resilient design paradigms in place (Vendor Advisory).