CVE-2023-41896: 
Homebrew vulnerability analysis and mitigation

Home Assistant, an open-source home automation software, was found to contain a critical vulnerability (CVE-2023-41896) discovered during a security audit by Cure53. The vulnerability was disclosed in October 2023 and affects Home Assistant Core versions prior to 2023.8.0 and the npm package home-assistant-js-websocket versions before 8.2.0. The vulnerability involves the WebSocket authentication logic that could allow attackers to perform a full system takeover (GitHub Advisory).

The vulnerability stems from the WebSocket authentication logic's handling of the auth_callback=1 parameter in conjunction with the state parameter. The state parameter contains the hassUrl, which is used to establish WebSocket connections. An attacker can exploit this by creating a malicious Home Assistant link with a modified state parameter, forcing the frontend to connect to an alternative WebSocket backend. The vulnerability has been assigned a CVSS v3.1 base score of 9.0 (Critical) by NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (NVD).

The successful exploitation of this vulnerability allows attackers to spoof WebSocket responses and trigger Cross-Site Scripting (XSS) attacks. Since the XSS is executed on the actual Home Assistant frontend domain, it can connect to the real Home Assistant backend, essentially enabling a comprehensive takeover of the system. This could give attackers full control over the user's smart home devices and sensitive information (Security Online).

The vulnerability has been patched in Home Assistant Core version 2023.8.0 and in the npm package home-assistant-js-websocket version 8.2.0. Users are strongly advised to upgrade to these or later versions. The fix involves modifications to the WebSocket code's authentication flow to prevent trusting the hassUrl passed in via GET parameters (GitHub Advisory).