Search for packages
| purl | pkg:pypi/homeassistant@0.83.2 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 2.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-31pr-2784-2yca
Aliases: CVE-2025-65713 GHSA-pp3g-xmm4-5cw9 |
Home Assistant Core before is vulnerable to Directory Traversal Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability. |
Affected by 3 other vulnerabilities. |
|
VCID-6rdv-ky8a-sqek
Aliases: CVE-2023-50715 GHSA-jqpc-rc7g-vf83 |
Exposure of Sensitive Information to an Unauthorized Actor Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue. When starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when the request is not authenticated and the request originated locally, meaning on the Home Assistant host local subnet or any other private subnet. The rationale behind this is to make the login more user-friendly and an experience better aligned with other applications that have multiple user-profiles. However, as a result, all accounts are displayed regardless of them having logged in or not and for any device that navigates to the server. This disclosure is mitigated by the fact that it only occurs for requests originating from a LAN address. But note that this applies to the local subnet where Home Assistant resides and to any private subnet that can reach it. |
Affected by 3 other vulnerabilities. |
|
VCID-e4ck-vd5q-1kh1
Aliases: CVE-2025-25305 GHSA-m3pm-rpgg-5wj6 |
Affected by 2 other vulnerabilities. |
|
|
VCID-pww9-arp9-4qa8
Aliases: CVE-2023-41893 GHSA-qhhj-7hrc-gqj5 PYSEC-2023-214 |
Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim’s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||